Diffstat (limited to 'modules/pam_limits/README')
1 files changed, 39 insertions, 102 deletions
diff --git a/modules/pam_limits/README b/modules/pam_limits/README
index a4f07e32..adab19df 100644
@@ -1,113 +1,50 @@
+pam_limits — PAM module to limit resources
- Imposing user limits on login.
-THEORY OF OPERATION:
-First, make a root-only-readable file (/etc/security/limits.conf by
-default or INSTALLED_CONFILE defined Makefile) that describes the
-resource limits you wish to impose. No priority changes and login
-limit checks are done on UID 0 accounts.
-Each line describes a limit for a user in the form:
-<domain> <type> <item> <value>
-<domain> can be:
- - an user name
- - a group name, with @group syntax
- - the wildcard *, for default entry
-<type> can have the three values:
- - "soft" for enforcing the soft limits
- - "hard" for enforcing hard limits
- - "-" for enforcing both soft and hard limits
-<item> can be one of the following:
- - core - limits the core file size (KB)
- - data - max data size (KB)
- - fsize - maximum filesize (KB)
- - memlock - max locked-in-memory address space (KB)
- - nofile - max number of open files
- - rss - max resident set size (KB)
- - stack - max stack size (KB)
- - cpu - max CPU time (MIN)
- - nproc - max number of processes
- - as - address space limit
- - maxlogins - max number of logins for this user
- - maxsyslogins - max number of logins on the system
- - priority - lower the priority by given value (value can be -ve)
- - locks - max locked files (Linux 2.4 and higher)
- - sigpending - max number of pending signals (Linux 2.6 and higher)
- - msgqueue - max memory used by POSIX message queues (bytes)
- (Linux 2.6 and higher)
- - nice - max nice priority allowed to raise to (Linux 2.6.12 and higher)
- - rtprio - max realtime priority allowed for non-priviledged
- processes (Linux 2.6.12 and higher)
-Note, if you specify a type of '-' but neglect to supply the item and
-value fields then the module will never enforce any limits on the
-specified user/group etc. .
-Please remember that individual limits have priority over group
-limits, so if you impose no limits for admin group, but one of the
-members in this group has a limits line, the user will have its limits
-set according to this line.
-Also, please note that all limit settings are set PER LOGIN. They are
-not global, nor are they permanent (they apply for the session only).
-In the LIMITS_FILE, the # character introduces a comment - the rest of the
-line is ignored.
-The pam_limits module does its best to report configuration problems found
-in LIMITS_FILE via syslog.
-EXAMPLE configuration file:
-* soft core 0
-* hard rss 10000
-@student hard nproc 20
-@faculty soft nproc 20
-@faculty hard nproc 50
-ftp hard nproc 0
-@student - maxlogins 4
+The pam_limits PAM module sets limits on the system resources that can be
+obtained in a user-session. Users of uid=0 are affected by this limits, too.
+By default limits are taken from the /etc/security/limits.conf config file.
- debug verbose logging
+ Change real uid to the user for who the limits are set up. Use this option
+ if you have problems like login not forking a shell for user who has no
+ processes. Be warned that something else may break when you do this.
- conf=/path/to/file the limits configuration file if different from the
- one set at compile time.
- change_uid change real uid to the user for who the limits
- are set up. Use this option if you have problems
- like login not forking a shell for user who has
- no processes. Be warned that something else
- may break when you do this.
+ Indicate an alternative limits.conf style configuration file to override
+ the default.
- utmp_early some broken applications actually allocate a
- utmp entry for the user before the user is
- admitted to the system. If the service you are
- configuring PAM for does this, you can use
- this module argument to compensate for this
-MODULE SERVICES PROVIDED:
- session _open_session and _close_session (blank)
+ Print debug information.
- For the services you need resources limits (login for example) put a
- the following line in /etc/pam.conf as the last line for that
- service (usually after the pam_unix session line:
- login session required /lib/security/pam_limits.so
+ Some broken applications actually allocate a utmp entry for the user before
+ the user is admitted to the system. If some of the services you are
+ configuring PAM for do this, you can selectively use this module argument
+ to compensate for this behavior and at the same time maintain system-wide
+ consistency with a single limits.conf file.
+These are some example lines which might be specified in /etc/security/
+* soft core 0
+* hard rss 10000
+@student hard nproc 20
+@faculty soft nproc 20
+@faculty hard nproc 50
+ftp hard nproc 0
+@student - maxlogins 4
- Replace "login" for each service you are using this module, replace
- "/lib/security" path with your real modules path.
- Cristian Gafton <email@example.com>
- Thanks to Elliot Lee <firstname.lastname@example.org> for his comments on
- improving this module, and Jens Sorensen for Linux 2.4 updates.