man-pages/man5/limits.conf.5.html
2021-03-31 01:06:50 +01:00

422 lines
8.6 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of LIMITS.CONF</TITLE>
</HEAD><BODY>
<H1>LIMITS.CONF</H1>
Section: Linux-PAM Manual (5)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
limits.conf - configuration file for the pam_limits module
<A NAME="lbAC">&nbsp;</A>
<H2>DESCRIPTION</H2>
<P>
The
<I>pam_limits.so</I>
module applies ulimit limits, nice priority and number of simultaneous login sessions limit to user login sessions. This description of the configuration file syntax applies to the
/etc/security/limits.conf
file and
*.conf
files in the
/etc/security/limits.d
directory.
<P>
The syntax of the lines is as follows:
<P>
<I>&lt;domain&gt;</I><I>&lt;type&gt;</I><I>&lt;item&gt;</I><I>&lt;value&gt;</I>
<P>
The fields listed above should be filled as follows:
<P>
<B>&lt;domain&gt;</B>
<DL COMPACT><DT id="1"><DD>
<P>
<DL COMPACT><DT id="2"><DD>
&bull;
a username
</DL>
<P>
<DL COMPACT><DT id="3"><DD>
&bull;
a groupname, with
<B>@group</B>
syntax. This should not be confused with netgroups.
</DL>
<P>
<DL COMPACT><DT id="4"><DD>
&bull;
the wildcard
<B>*</B>, for default entry.
</DL>
<P>
<DL COMPACT><DT id="5"><DD>
&bull;
the wildcard
<B>%</B>, for maxlogins limit only, can also be used with
<B>%group</B>
syntax. If the
<B>%</B>
wildcard is used alone it is identical to using
<B>*</B>
with maxsyslogins limit. With a group specified after
<B>%</B>
it limits the total number of logins of all users that are member of the group.
</DL>
<P>
<DL COMPACT><DT id="6"><DD>
&bull;
an uid range specified as
<I>&lt;min_uid&gt;</I><B>:</B><I>&lt;max_uid&gt;</I>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match.
</DL>
<P>
<DL COMPACT><DT id="7"><DD>
&bull;
a gid range specified as
<B>@</B><I>&lt;min_gid&gt;</I><B>:</B><I>&lt;max_gid&gt;</I>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user's supplementary groups are examined. For the range matches only the user's primary group is examined.
</DL>
<P>
<DL COMPACT><DT id="8"><DD>
&bull;
a gid specified as
<B>%:</B><I>&lt;gid&gt;</I>
applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid.
</DL>
<P>
<B>NOTE:</B>
group and wildcard limits are not applied to the root user. To set a limit for the root user, this field must contain the literal username
<B>root</B>.
</DL>
<P>
<B>&lt;type&gt;</B>
<DL COMPACT><DT id="9"><DD>
<P>
<B>hard</B>
<DL COMPACT><DT id="10"><DD>
for enforcing
<B>hard</B>
resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
</DL>
<P>
<B>soft</B>
<DL COMPACT><DT id="11"><DD>
for enforcing
<B>soft</B>
resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-existing
<B>hard</B>
limits. The values specified with this token can be thought of as
<I>default</I>
values, for normal system usage.
</DL>
<P>
<B>-</B>
<DL COMPACT><DT id="12"><DD>
for enforcing both
<B>soft</B>
and
<B>hard</B>
resource limits together.
<P>
Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
</DL>
</DL>
<P>
<B>&lt;item&gt;</B>
<DL COMPACT><DT id="13"><DD>
<P>
<B>core</B>
<DL COMPACT><DT id="14"><DD>
limits the core file size (KB)
</DL>
<P>
<B>data</B>
<DL COMPACT><DT id="15"><DD>
maximum data size (KB)
</DL>
<P>
<B>fsize</B>
<DL COMPACT><DT id="16"><DD>
maximum filesize (KB)
</DL>
<P>
<B>memlock</B>
<DL COMPACT><DT id="17"><DD>
maximum locked-in-memory address space (KB)
</DL>
<P>
<B>nofile</B>
<DL COMPACT><DT id="18"><DD>
maximum number of open file descriptors
</DL>
<P>
<B>rss</B>
<DL COMPACT><DT id="19"><DD>
maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)
</DL>
<P>
<B>stack</B>
<DL COMPACT><DT id="20"><DD>
maximum stack size (KB)
</DL>
<P>
<B>cpu</B>
<DL COMPACT><DT id="21"><DD>
maximum CPU time (minutes)
</DL>
<P>
<B>nproc</B>
<DL COMPACT><DT id="22"><DD>
maximum number of processes
</DL>
<P>
<B>as</B>
<DL COMPACT><DT id="23"><DD>
address space limit (KB)
</DL>
<P>
<B>maxlogins</B>
<DL COMPACT><DT id="24"><DD>
maximum number of logins for this user (this limit does not apply to user with
<I>uid=0</I>)
</DL>
<P>
<B>maxsyslogins</B>
<DL COMPACT><DT id="25"><DD>
maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with
<I>uid=0</I>)
</DL>
<P>
<B>priority</B>
<DL COMPACT><DT id="26"><DD>
the priority to run user process with (negative values boost process priority)
</DL>
<P>
<B>locks</B>
<DL COMPACT><DT id="27"><DD>
maximum locked files (Linux 2.4 and higher)
</DL>
<P>
<B>sigpending</B>
<DL COMPACT><DT id="28"><DD>
maximum number of pending signals (Linux 2.6 and higher)
</DL>
<P>
<B>msgqueue</B>
<DL COMPACT><DT id="29"><DD>
maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
</DL>
<P>
<B>nice</B>
<DL COMPACT><DT id="30"><DD>
maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]
</DL>
<P>
<B>rtprio</B>
<DL COMPACT><DT id="31"><DD>
maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)
</DL>
<P>
<B>chroot</B>
<DL COMPACT><DT id="32"><DD>
the directory to chroot the user to
</DL>
</DL>
<P>
All items support the values
<I>-1</I>,
<I>unlimited</I>
or
<I>infinity</I>
indicating no limit, except for
<B>priority</B>
and
<B>nice</B>.
<P>
If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur. If the control value
<I>required</I>
is used, the module will reject the login if a limit could not be set.
<P>
In general, individual limits have priority over group limits, so if you impose no limits for
<I>admin</I>
group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
<P>
Also, please note that all limit settings are set
<I>per login</I>. They are not global, nor are they permanent; existing only for the duration of the session. One exception is the
<I>maxlogin</I>
option, this one is system wide. But there is a race, concurrent logins at the same time will not always be detect as such but only counted as one.
<P>
In the
<I>limits</I>
configuration file, the '<B>#</B>' character introduces a comment - after which the rest of the line is ignored.
<P>
The pam_limits module does report configuration problems found in its configuration file and errors via
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3).
<A NAME="lbAD">&nbsp;</A>
<H2>EXAMPLES</H2>
<P>
These are some example lines which might be specified in
/etc/security/limits.conf.
<P>
<DL COMPACT><DT id="33"><DD>
<PRE>
* soft core 0
root hard core 100000
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
:123 hard cpu 5000
@500: soft cpu 10000
600:700 hard locks 10
</PRE>
</DL>
<A NAME="lbAE">&nbsp;</A>
<H2>SEE ALSO</H2>
<P>
<B><A HREF="/cgi-bin/man/man2html?8+pam_limits">pam_limits</A></B>(8),
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7),
<B><A HREF="/cgi-bin/man/man2html?2+getrlimit">getrlimit</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?3p+getrlimit">getrlimit</A></B>(3p)
<A NAME="lbAF">&nbsp;</A>
<H2>AUTHOR</H2>
<P>
pam_limits was initially written by Cristian Gafton &lt;<A HREF="mailto:gafton@redhat.com">gafton@redhat.com</A>&gt;
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="34"><A HREF="#lbAB">NAME</A><DD>
<DT id="35"><A HREF="#lbAC">DESCRIPTION</A><DD>
<DT id="36"><A HREF="#lbAD">EXAMPLES</A><DD>
<DT id="37"><A HREF="#lbAE">SEE ALSO</A><DD>
<DT id="38"><A HREF="#lbAF">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:03 GMT, March 31, 2021
</BODY>
</HTML>