422 lines
8.6 KiB
HTML
422 lines
8.6 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of LIMITS.CONF</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>LIMITS.CONF</H1>
|
|
Section: Linux-PAM Manual (5)<BR>Updated: 05/18/2017<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
limits.conf - configuration file for the pam_limits module
|
|
<A NAME="lbAC"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<P>
|
|
|
|
The
|
|
<I>pam_limits.so</I>
|
|
module applies ulimit limits, nice priority and number of simultaneous login sessions limit to user login sessions. This description of the configuration file syntax applies to the
|
|
/etc/security/limits.conf
|
|
file and
|
|
*.conf
|
|
files in the
|
|
/etc/security/limits.d
|
|
directory.
|
|
<P>
|
|
|
|
The syntax of the lines is as follows:
|
|
<P>
|
|
|
|
<I><domain></I><I><type></I><I><item></I><I><value></I>
|
|
<P>
|
|
|
|
The fields listed above should be filled as follows:
|
|
<P>
|
|
|
|
<B><domain></B>
|
|
<DL COMPACT><DT id="1"><DD>
|
|
<P>
|
|
<DL COMPACT><DT id="2"><DD>
|
|
•
|
|
|
|
|
|
a username
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="3"><DD>
|
|
•
|
|
|
|
|
|
a groupname, with
|
|
<B>@group</B>
|
|
syntax. This should not be confused with netgroups.
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="4"><DD>
|
|
•
|
|
|
|
|
|
the wildcard
|
|
<B>*</B>, for default entry.
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="5"><DD>
|
|
•
|
|
|
|
|
|
the wildcard
|
|
<B>%</B>, for maxlogins limit only, can also be used with
|
|
<B>%group</B>
|
|
syntax. If the
|
|
<B>%</B>
|
|
wildcard is used alone it is identical to using
|
|
<B>*</B>
|
|
with maxsyslogins limit. With a group specified after
|
|
<B>%</B>
|
|
it limits the total number of logins of all users that are member of the group.
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="6"><DD>
|
|
•
|
|
|
|
|
|
an uid range specified as
|
|
<I><min_uid></I><B>:</B><I><max_uid></I>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match.
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="7"><DD>
|
|
•
|
|
|
|
|
|
a gid range specified as
|
|
<B>@</B><I><min_gid></I><B>:</B><I><max_gid></I>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user's supplementary groups are examined. For the range matches only the user's primary group is examined.
|
|
</DL>
|
|
|
|
<P>
|
|
<DL COMPACT><DT id="8"><DD>
|
|
•
|
|
|
|
|
|
a gid specified as
|
|
<B>%:</B><I><gid></I>
|
|
applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid.
|
|
</DL>
|
|
|
|
<P>
|
|
<B>NOTE:</B>
|
|
group and wildcard limits are not applied to the root user. To set a limit for the root user, this field must contain the literal username
|
|
<B>root</B>.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B><type></B>
|
|
<DL COMPACT><DT id="9"><DD>
|
|
<P>
|
|
|
|
<B>hard</B>
|
|
<DL COMPACT><DT id="10"><DD>
|
|
for enforcing
|
|
<B>hard</B>
|
|
resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>soft</B>
|
|
<DL COMPACT><DT id="11"><DD>
|
|
for enforcing
|
|
<B>soft</B>
|
|
resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-existing
|
|
<B>hard</B>
|
|
limits. The values specified with this token can be thought of as
|
|
<I>default</I>
|
|
values, for normal system usage.
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>-</B>
|
|
<DL COMPACT><DT id="12"><DD>
|
|
for enforcing both
|
|
<B>soft</B>
|
|
and
|
|
<B>hard</B>
|
|
resource limits together.
|
|
<P>
|
|
Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
|
|
</DL>
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B><item></B>
|
|
<DL COMPACT><DT id="13"><DD>
|
|
<P>
|
|
|
|
<B>core</B>
|
|
<DL COMPACT><DT id="14"><DD>
|
|
limits the core file size (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>data</B>
|
|
<DL COMPACT><DT id="15"><DD>
|
|
maximum data size (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>fsize</B>
|
|
<DL COMPACT><DT id="16"><DD>
|
|
maximum filesize (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>memlock</B>
|
|
<DL COMPACT><DT id="17"><DD>
|
|
maximum locked-in-memory address space (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>nofile</B>
|
|
<DL COMPACT><DT id="18"><DD>
|
|
maximum number of open file descriptors
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>rss</B>
|
|
<DL COMPACT><DT id="19"><DD>
|
|
maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>stack</B>
|
|
<DL COMPACT><DT id="20"><DD>
|
|
maximum stack size (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>cpu</B>
|
|
<DL COMPACT><DT id="21"><DD>
|
|
maximum CPU time (minutes)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>nproc</B>
|
|
<DL COMPACT><DT id="22"><DD>
|
|
maximum number of processes
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>as</B>
|
|
<DL COMPACT><DT id="23"><DD>
|
|
address space limit (KB)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>maxlogins</B>
|
|
<DL COMPACT><DT id="24"><DD>
|
|
maximum number of logins for this user (this limit does not apply to user with
|
|
<I>uid=0</I>)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>maxsyslogins</B>
|
|
<DL COMPACT><DT id="25"><DD>
|
|
maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with
|
|
<I>uid=0</I>)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>priority</B>
|
|
<DL COMPACT><DT id="26"><DD>
|
|
the priority to run user process with (negative values boost process priority)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>locks</B>
|
|
<DL COMPACT><DT id="27"><DD>
|
|
maximum locked files (Linux 2.4 and higher)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>sigpending</B>
|
|
<DL COMPACT><DT id="28"><DD>
|
|
maximum number of pending signals (Linux 2.6 and higher)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>msgqueue</B>
|
|
<DL COMPACT><DT id="29"><DD>
|
|
maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>nice</B>
|
|
<DL COMPACT><DT id="30"><DD>
|
|
maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>rtprio</B>
|
|
<DL COMPACT><DT id="31"><DD>
|
|
maximum realtime priority allowed for non-privileged processes (Linux 2.6.12 and higher)
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
<B>chroot</B>
|
|
<DL COMPACT><DT id="32"><DD>
|
|
the directory to chroot the user to
|
|
</DL>
|
|
|
|
</DL>
|
|
|
|
<P>
|
|
|
|
All items support the values
|
|
<I>-1</I>,
|
|
<I>unlimited</I>
|
|
or
|
|
<I>infinity</I>
|
|
indicating no limit, except for
|
|
<B>priority</B>
|
|
and
|
|
<B>nice</B>.
|
|
<P>
|
|
|
|
If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur. If the control value
|
|
<I>required</I>
|
|
is used, the module will reject the login if a limit could not be set.
|
|
<P>
|
|
|
|
In general, individual limits have priority over group limits, so if you impose no limits for
|
|
<I>admin</I>
|
|
group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
|
|
<P>
|
|
|
|
Also, please note that all limit settings are set
|
|
<I>per login</I>. They are not global, nor are they permanent; existing only for the duration of the session. One exception is the
|
|
<I>maxlogin</I>
|
|
option, this one is system wide. But there is a race, concurrent logins at the same time will not always be detect as such but only counted as one.
|
|
<P>
|
|
|
|
In the
|
|
<I>limits</I>
|
|
configuration file, the '<B>#</B>' character introduces a comment - after which the rest of the line is ignored.
|
|
<P>
|
|
|
|
The pam_limits module does report configuration problems found in its configuration file and errors via
|
|
<B><A HREF="/cgi-bin/man/man2html?3+syslog">syslog</A></B>(3).
|
|
<A NAME="lbAD"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<P>
|
|
|
|
These are some example lines which might be specified in
|
|
/etc/security/limits.conf.
|
|
<P>
|
|
<DL COMPACT><DT id="33"><DD>
|
|
|
|
|
|
|
|
<PRE>
|
|
* soft core 0
|
|
root hard core 100000
|
|
* hard nofile 512
|
|
@student hard nproc 20
|
|
@faculty soft nproc 20
|
|
@faculty hard nproc 50
|
|
ftp hard nproc 0
|
|
@student - maxlogins 4
|
|
:123 hard cpu 5000
|
|
@500: soft cpu 10000
|
|
600:700 hard locks 10
|
|
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<P>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+pam_limits">pam_limits</A></B>(8),
|
|
<B><A HREF="/cgi-bin/man/man2html?5+pam.d">pam.d</A></B>(5),
|
|
<B><A HREF="/cgi-bin/man/man2html?7+pam">pam</A></B>(7),
|
|
<B><A HREF="/cgi-bin/man/man2html?2+getrlimit">getrlimit</A></B>(2),
|
|
<B><A HREF="/cgi-bin/man/man2html?3p+getrlimit">getrlimit</A></B>(3p)
|
|
<A NAME="lbAF"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
<P>
|
|
|
|
pam_limits was initially written by Cristian Gafton <<A HREF="mailto:gafton@redhat.com">gafton@redhat.com</A>>
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="34"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="35"><A HREF="#lbAC">DESCRIPTION</A><DD>
|
|
<DT id="36"><A HREF="#lbAD">EXAMPLES</A><DD>
|
|
<DT id="37"><A HREF="#lbAE">SEE ALSO</A><DD>
|
|
<DT id="38"><A HREF="#lbAF">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:03 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|