Search:  
Gentoo Wiki

SECURITY_Limit_User_Processes

This article is part of the Security series.

Contents

Introduction

Limiting user processes is one way to make sure that one user can not "commandeer" the system making it unusable for others. To limit the processes a user on your system can run we have two files to edit

/etc/limits 
owned by the sys-apps/shadow package
/etc/security/limits.conf 
owned the the sys-libs/pam package : This only affects programs affected by PAM, so the pam USE flag should be set.

/etc/limits

File format

Each line consists of username followed by a limit string. The limit string describes limits for particular user. The options are:

Example

File: /etc/limits
# This will limit all users to 40 processes max.  This can be used to prevent a "fork bomb".
# Be warned, if the user logs into a Desktop Environment like GNOME or KDE, 
#   this could cause problems due to how many processes they launch.
* U 40

# Limit fred to logging in no more than twice.  NOTE:  This does not affect virtual terminals for some reason.
fred L 2

/etc/security/limits.conf

Most people prefer to edit this file because its more readable and offers more flexibility. This file can also enforce both hard and soft limits. Soft limits can be exceeded, and will usually issue a warning of some kind. Hard limits can not. Also, unlike the other limits file, limits.conf can match groups. To match a group, preceed the group name with a "@".

File Format

<domain> <limittype> <item> <value>

<domain> can be:

  1. an user name
  2. a group name, with @group syntax
  3. the wildcard *, for default entry
  4. the wildcard %, can be also used with %group syntax,

for maxlogin limit

<limittype> can have the two values:

  1. "soft" for enforcing the soft limits
  2. "hard" for enforcing hard limits

<item> can be one of the following:

  1. core - limits the core file size (KB)
  2. data - max data size (KB)
  3. fsize - maximum filesize (KB)
  4. memlock - max locked-in-memory address space (KB)
  5. nofile - max number of open files
  6. rss - max resident set size (KB)
  7. stack - max stack size (KB)
  8. cpu - max CPU time (MIN)
  9. nproc - max number of processes
  10. as - address space limit
  11. maxlogins - max number of logins for this user
  12. priority - the priority to run user process with
  13. locks - max number of file locks the user can hold

Example

File: /etc/security/limits.conf
# Prevents anyone from dumping core files.
*               hard    core   0

# This will prevent anyone in the 'users' group from having more than 150 processes, and a warning will be given at 100 processes.
@users          soft    nproc  100
@users          hard    nproc  150

Testing

To check, if you are protected. You can run this cute little forkbomb:

:(){ :|:& };:

Be warned that this might lock-up your system, so you'd better be close to the reset-button just in case something went wrong. Of course you should close all applications which might not like a sudden termination.

In case you're curious:

This creates a function called ":"
The code in the function recursively calls the function and pipes the output
to another invocation of the function
The "&" puts the call into the background
 -- that way the child process don't die if the parent exits or is killed.
Note that by invoking the function twice, you get exponential growth in
the number of processes.

If you worry that you set up limits.conf incorrectly, a more timid (and far less elegant!) test could be:

for i in `seq 500`; do sleep 5 & done
Retrieved from "http://www.gentoo-wiki.info/SECURITY_Limit_User_Processes"

Last modified: Mon, 04 Aug 2008 09:04:00 +0000 Hits: 33,376