ulimit

introuble · 07-21-2006, 04:27 PM

This is the current output of `ulimit -a`:

Code:

core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
max nice                        (-e) 20
file size               (blocks, -f) unlimited
pending signals                 (-i) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) unlimited
max rt priority                 (-r) unlimited
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

Now this looks wrong to me because .. well .. for starters .. I'm vulnerable to a fork bomb and probably other attacks.

I have a couple of questions:

#1. Where do you set the above limits? Can you only specify them on command line and if so, will they "survive" a reboot?

#2. Could you recommend some limits please?

primo · 07-22-2006, 03:33 AM

Obviously I would go for "max user processes". Set it to whatever value fits for you when you're under load and see how many of them are running looking at what top(1) says.

The next is "max locked memory". You can manage to bring down a Linux system by mmap()ing a large file and then calling mlock() on it. Fortunately, only the root user may call mlock().

The place to set limits should be /etc/security/limits.conf. It must exist in every Linux distribution as it uses PAM. Don't use /etc/profile or /etc/rc.local for that. The former may be skipped and the latter may apply to daemons started later.

Note: The stack size limit is too low. Raise it to 65536 at least. Memory limits aren't easy to come by. See "man getrlimit"