summaryrefslogtreecommitdiff
path: root/modules/pam_limits/README
blob: 06a6857a81357ab4f00dd9b38a20839c4780d25c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
pam_limits module:
	Imposing user limits on login.

THEORY OF OPERATION:

First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
defined Makefile) that describes the resource limits you wish to impose. No 
limits are imposed on UID 0 accounts.

Each line describes a limit for a user in the form:

<domain>	<type>	<item>	<value>

Where:
<domain> can be:
	- an user name
	- a group name, with @group syntax
	- the wildcard *, for default entry

<type> can have the two values:
	- "soft" for enforcinf the soft limits
	- "hard" for enforcing hard limits

<item> can be one of the following:
	- core - limits the core file size (KB)
	- data - max data size (KB)
	- fsize - maximum filesize (KB)
	- memlock - max locked-in-memory address space (KB)
	- nofile - max number of open files
	- rss - max resident set size (KB)
	- stack - max stack size (KB)
	- cpu - max CPU time (MIN)
	- nproc - max number of processes
	- as - address space limit
	- maxlogins - max number of logins for this user
	- maxsyslogins - max number of logins on the system
		
To completely disable limits for a user (or a group), a single dash (-)
will do (Example: 'bin -', '@admin -'). Please remember that individual
limits have priority over group limits, so if you impose no limits for admin
group, but one of the members in this group have a limits line, the user
will have its limits set according to this line.

Also, please note that all limit settings are set PER LOGIN.  They are
not global, nor are they permanent (the session only)

In the LIMITS_FILE, the # character introduces a comment - the rest of the
line is ignored.

The pam_limits module does its best to report configuration problems found
in LIMITS_FILE via syslog.

EXAMPLE configuration file:
===========================
*               soft    core            0
*               hard    rss             10000
@student        hard    nproc           20
@faculty        soft    nproc           20
@faculty        hard    nproc           50
ftp             hard    nproc           0
@student        -       maxlogins       4


ARGUMENTS RECOGNIZED:
    debug		verbose logging

    conf=/path/to/file	the limits configuration file if different from the
			one set at compile time.

MODULE SERVICES PROVIDED:
	session            _open_session and _close_session (blank)

USAGE:
	For the services you need resources limits (login for example) put a
	the following line in /etc/pam.conf as the last line for that
	service (usually after the pam_unix session line:

	login   session    required     /lib/security/pam_limits.so

	Replace "login" for each service you are using this module, replace
	"/lib/security" path with your real modules path.

AUTHOR:
        Cristian Gafton <gafton@redhat.com>
	Thanks to Elliot Lee <sopwith@redhat.com> for his comments on
	improving this module.