In all large corporations, there is a pervasive fear that someone, somewhere is having fun with a computer on company time. Networks help alleviate that fear.
Limiting the maximum amount of user processes is a way to prevent a user from hogging all the system resources, causing it to crash.
This can be done by editing either one of these two files:
(directories found in the Gentoo linux distro, use slocate <file> if you can't find it in other distro's.) /etc/limits:
This is owned by the sys-apps/shadow package. /etc/security/limits.conf:
This file is owned by the sys-libs/pam package
nearly all Distributions ship with the PAM package, but i will explain for both packages.
Please note that all numbers stated in here are purely as an example, and should not be used as a reference. My suggestion is to open a few applications, and see the number of processes used at that point, and taking that as a reference number.
/etc/limits
In this file, each line consists of a username (wildchart * is allowed), followed by a limitation code.
limitation codes
CODE :
A: max address space (KB)
C: max core file size (KB)
D: max data size (KB)
F: maximum filesize (KB)
M: max locked-in-memory address space (KB)
N: max number of open files
R: max resident set size (KB)
S: max stack size (KB)
T: max CPU time (MIN)
U: max number of processes
L: max number of logins for this user
K: file creation mask, set by umask
P: process priority, set by setpriority
Example
CODE :
# Jacky may not log in more than twice, and only spawn 40 processes
# (make sure not to make it too tight, or the system might not be able to run properly, due to a limitation in the allowed number of processes)
jacky L 2 U 35
# All users are only allowed to have files of 8GB in size.
* F 8388608
/etc/security/limits.conf
Most people would want to edit this file, because it offers more flexibillity, and the abillity to set soft and hard limits. soft: This generates a warning hard: This just plain blocks the user from exceeding this limit, and will be logged.
Another advantage of this file over /etc/limits is that we can use groups to manage the users. We can do this by preceeding the group name with an '@' symbol.
File format
CODE :
<domain><limittype><item><value>
<domain> can be:
1. an user name
2. a group name, with @group syntax
3. the wildcard *, for default entry
4. the wildcard %, can be also used with %group syntax, for maxlogin limit
<limittype> can have the two values:
1. "soft" for enforcing the soft limits
2. "hard" for enforcing hard limits
<item> can be one of the following:
1. core - limits the core file size (KB)
2. data - max data size (KB)
3. fsize - maximum filesize (KB)
4. memlock - max locked-in-memory address space (KB)
5. nofile - max number of open files
6. rss - max resident set size (KB)
7. stack - max stack size (KB)
8. cpu - max CPU time (MIN)
9. nproc - max number of processes
10. as - address space limit
11. maxlogins - max number of logins for this user
12. priority - the priority to run user process with
13. locks - max number of file locks the user can hold
Example
CODE :
# This will prevent everyone from dumping core files
* hard core 0
# The following will give everybody in the users group a warning if they exceed 35 processes, and prevent more from spawning once they reach 45
@users soft nproc 35
@users hard nproc 45
Testing
If you wish to test if it worked, make sure that the new rules are loaded, and run a small forkbomb: SAVE all important data before running this forkbomb.
CODE :
:(){ :|:& };:
If your system still crashes, tighten up the number of processes a little bit, and try again.
(a simple reboot is the solution if your system hangs after running a forkbomb)
If you still have questions, feel free to pm me.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 23 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
