diff options
Diffstat (limited to 'Linux-PAM/modules/pam_limits/README')
-rw-r--r-- | Linux-PAM/modules/pam_limits/README | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/Linux-PAM/modules/pam_limits/README b/Linux-PAM/modules/pam_limits/README new file mode 100644 index 00000000..023b9575 --- /dev/null +++ b/Linux-PAM/modules/pam_limits/README @@ -0,0 +1,107 @@ + +pam_limits module: + Imposing user limits on login. + +THEORY OF OPERATION: + +First, make a root-only-readable file (/etc/security/limits.conf by +default or INSTALLED_CONFILE defined Makefile) that describes the +resource limits you wish to impose. No limits are imposed on UID 0 +accounts. + +Each line describes a limit for a user in the form: + +<domain> <type> <item> <value> + +Where: +<domain> can be: + - an user name + - a group name, with @group syntax + - the wildcard *, for default entry + +<type> can have the three values: + - "soft" for enforcing the soft limits + - "hard" for enforcing hard limits + - "-" for enforcing both soft and hard limits + +<item> can be one of the following: + - core - limits the core file size (KB) + - data - max data size (KB) + - fsize - maximum filesize (KB) + - memlock - max locked-in-memory address space (KB) + - nofile - max number of open files + - rss - max resident set size (KB) + - stack - max stack size (KB) + - cpu - max CPU time (MIN) + - nproc - max number of processes + - as - address space limit + - maxlogins - max number of logins for this user + - maxsyslogins - max number of logins on the system + - priority - lower the priority by given value (value can be -ve) + - locks - max locked files (Linux 2.4 and higher) + +Note, if you specify a type of '-' but neglect to supply the item and +value fields then the module will never enforce any limits on the +specified user/group etc. . + +Please remember that individual limits have priority over group +limits, so if you impose no limits for admin group, but one of the +members in this group has a limits line, the user will have its limits +set according to this line. + +Also, please note that all limit settings are set PER LOGIN. They are +not global, nor are they permanent (they apply for the session only). + +In the LIMITS_FILE, the # character introduces a comment - the rest of the +line is ignored. + +The pam_limits module does its best to report configuration problems found +in LIMITS_FILE via syslog. + +EXAMPLE configuration file: +=========================== +* soft core 0 +* hard rss 10000 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student - maxlogins 4 + + +ARGUMENTS RECOGNIZED: + debug verbose logging + + conf=/path/to/file the limits configuration file if different from the + one set at compile time. + + change_uid change real uid to the user for who the limits + are set up. Use this option if you have problems + like login not forking a shell for user who has + no processes. Be warned that something else + may break when you do this. + + utmp_early some broken applications actually allocate a + utmp entry for the user before the user is + admitted to the system. If the service you are + configuring PAM for does this, you can use + this module argument to compensate for this + brokenness. + +MODULE SERVICES PROVIDED: + session _open_session and _close_session (blank) + +USAGE: + For the services you need resources limits (login for example) put a + the following line in /etc/pam.conf as the last line for that + service (usually after the pam_unix session line: + + login session required /lib/security/pam_limits.so + + Replace "login" for each service you are using this module, replace + "/lib/security" path with your real modules path. + +AUTHOR: + Cristian Gafton <gafton@redhat.com> + Thanks to Elliot Lee <sopwith@redhat.com> for his comments on + improving this module, and Jens Sorensen for Linux 2.4 updates. |