LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Setting limits (https://www.linuxquestions.org/questions/linux-security-4/setting-limits-374978/)

nelamvr6 10-20-2005 05:41 AM

Setting limits
 
OK so I ran Bastille, it recommended setting limits on core size and number of user processes. this sounded reasonable to me so I agreed. It mentioned that the settings would be in /etc/security/limits.conf and that I could edit them later. Sounds good.

Later that night out of curiosity I typed ulimit -a in a bash session and I got this:

nelamvr6@linux:~> ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 8191
virtual memory (kbytes, -v) unlimited

Max user processors are 8191? Bastille recommended 150!

So I took a look at /etc/security/limits.conf and found this:

# prevent core dumps
* hard core 0

#limit user processes per user to 150
* soft nproc 100
* hard nproc 150


So what gives? Why are these limits not enforced? I'm running SUSE 10.0 with KDE as my desktop.

TIA

unSpawn 10-20-2005 09:59 PM

The first time /etc/security/limits.conf is consulted is when you log in. Are you sure you logged out completely before checking?

nelamvr6 10-21-2005 06:53 AM

OK, I got it sorted. Had to add ulimit lines to /etc/profile

Worked like a charm!

unSpawn 10-21-2005 07:37 AM

Had to add ulimit lines to /etc/profile
Any good reason for doing that? AFAIk choosing a decentralised workaround like that bypasses PAM options you have with /etc/security/limits.conf like for instance per account or group settings (OK, unless you script it).

nelamvr6 10-21-2005 10:05 AM

Quote:

Originally posted by unSpawn
Had to add ulimit lines to /etc/profile
Any good reason for doing that? AFAIk choosing a decentralised workaround like that bypasses PAM options you have with /etc/security/limits.conf like for instance per account or group settings (OK, unless you script it).

Well there were statements limiting user processes in my /etc/security/limits.conf , but for some reason those limits were not in place when I executed ulimit -a. It appears that for some reason my distro was ignoring /etc/security/limits.conf while it pays attention to /etc/profile .

I attempte to change the statements in /etc/security/limits.conf, but that had no effect on the limits actually imposed on the user. Is there some other way I'm supposed to utilize PAM to effect these changes?

unSpawn 10-21-2005 12:02 PM

If you have /etc/pam.d/system-auth and it contains a session line using pam_limits.so, and system-auth is referenced in /etc/pam.d/login, and if the contents of /etc/security/limits.conf are like you posted it, and if the shell doesn't override this in resource files (for Bash: /etc/bashrc, /etc/profile, /etc/profile.d/*.sh) then if the user is completely logged out and logs back in this should be working.

nelamvr6 10-22-2005 02:15 AM

Quote:

Originally posted by unSpawn
If you have /etc/pam.d/system-auth and it contains a session line using pam_limits.so, and system-auth is referenced in /etc/pam.d/login, and if the contents of /etc/security/limits.conf are like you posted it, and if the shell doesn't override this in resource files (for Bash: /etc/bashrc, /etc/profile, /etc/profile.d/*.sh) then if the user is completely logged out and logs back in this should be working.
OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.

So where do I go now?

unSpawn 10-22-2005 06:25 AM

OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.
No, you have SuSE, so you have /etc/pam.d/common-.* ... and pam_limits.so is a session thing, so it's referenced in common-session. I had to check pam-0.80-6selinux1.i586.rpm for that, which doesn't show me any /etc/pam.d/SERVICENAME files. If you could post the contents of your /etc/pam.d/login that would come in handy.

nelamvr6 10-22-2005 01:18 PM

Quote:

Originally posted by unSpawn
OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.
No, you have SuSE, so you have /etc/pam.d/common-.* ... and pam_limits.so is a session thing, so it's referenced in common-session. I had to check pam-0.80-6selinux1.i586.rpm for that, which doesn't show me any /etc/pam.d/SERVICENAME files. If you could post the contents of your /etc/pam.d/login that would come in handy.

Here it is:

#%PAM-1.0
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so
account required /lib/security/pam_access.so

tkedwards 10-24-2005 06:38 PM

Quote:

do you have
session required pam_limits.so

in /etc/pam.d/{login,sshd}
http://www.experts-exchange.com/Secu..._21416699.html


All times are GMT -5. The time now is 02:23 PM.