LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-20-2005, 05:41 AM   #1
nelamvr6
Member
 
Registered: Oct 2005
Location: New London, CT USA
Distribution: Ubuntu 7.04
Posts: 49

Rep: Reputation: 15
Setting limits


OK so I ran Bastille, it recommended setting limits on core size and number of user processes. this sounded reasonable to me so I agreed. It mentioned that the settings would be in /etc/security/limits.conf and that I could edit them later. Sounds good.

Later that night out of curiosity I typed ulimit -a in a bash session and I got this:

nelamvr6@linux:~> ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 8191
virtual memory (kbytes, -v) unlimited

Max user processors are 8191? Bastille recommended 150!

So I took a look at /etc/security/limits.conf and found this:

# prevent core dumps
* hard core 0

#limit user processes per user to 150
* soft nproc 100
* hard nproc 150


So what gives? Why are these limits not enforced? I'm running SUSE 10.0 with KDE as my desktop.

TIA
 
Old 10-20-2005, 09:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
The first time /etc/security/limits.conf is consulted is when you log in. Are you sure you logged out completely before checking?
 
Old 10-21-2005, 06:53 AM   #3
nelamvr6
Member
 
Registered: Oct 2005
Location: New London, CT USA
Distribution: Ubuntu 7.04
Posts: 49

Original Poster
Rep: Reputation: 15
OK, I got it sorted. Had to add ulimit lines to /etc/profile

Worked like a charm!
 
Old 10-21-2005, 07:37 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Had to add ulimit lines to /etc/profile
Any good reason for doing that? AFAIk choosing a decentralised workaround like that bypasses PAM options you have with /etc/security/limits.conf like for instance per account or group settings (OK, unless you script it).
 
Old 10-21-2005, 10:05 AM   #5
nelamvr6
Member
 
Registered: Oct 2005
Location: New London, CT USA
Distribution: Ubuntu 7.04
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by unSpawn
Had to add ulimit lines to /etc/profile
Any good reason for doing that? AFAIk choosing a decentralised workaround like that bypasses PAM options you have with /etc/security/limits.conf like for instance per account or group settings (OK, unless you script it).
Well there were statements limiting user processes in my /etc/security/limits.conf , but for some reason those limits were not in place when I executed ulimit -a. It appears that for some reason my distro was ignoring /etc/security/limits.conf while it pays attention to /etc/profile .

I attempte to change the statements in /etc/security/limits.conf, but that had no effect on the limits actually imposed on the user. Is there some other way I'm supposed to utilize PAM to effect these changes?
 
Old 10-21-2005, 12:02 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
If you have /etc/pam.d/system-auth and it contains a session line using pam_limits.so, and system-auth is referenced in /etc/pam.d/login, and if the contents of /etc/security/limits.conf are like you posted it, and if the shell doesn't override this in resource files (for Bash: /etc/bashrc, /etc/profile, /etc/profile.d/*.sh) then if the user is completely logged out and logs back in this should be working.
 
Old 10-22-2005, 02:15 AM   #7
nelamvr6
Member
 
Registered: Oct 2005
Location: New London, CT USA
Distribution: Ubuntu 7.04
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by unSpawn
If you have /etc/pam.d/system-auth and it contains a session line using pam_limits.so, and system-auth is referenced in /etc/pam.d/login, and if the contents of /etc/security/limits.conf are like you posted it, and if the shell doesn't override this in resource files (for Bash: /etc/bashrc, /etc/profile, /etc/profile.d/*.sh) then if the user is completely logged out and logs back in this should be working.
OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.

So where do I go now?
 
Old 10-22-2005, 06:25 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.
No, you have SuSE, so you have /etc/pam.d/common-.* ... and pam_limits.so is a session thing, so it's referenced in common-session. I had to check pam-0.80-6selinux1.i586.rpm for that, which doesn't show me any /etc/pam.d/SERVICENAME files. If you could post the contents of your /etc/pam.d/login that would come in handy.
 
Old 10-22-2005, 01:18 PM   #9
nelamvr6
Member
 
Registered: Oct 2005
Location: New London, CT USA
Distribution: Ubuntu 7.04
Posts: 49

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by unSpawn
OK, I don't have /etc/pam.d/system-auth, system-auth is not reference in /etc/pam.d/login.
No, you have SuSE, so you have /etc/pam.d/common-.* ... and pam_limits.so is a session thing, so it's referenced in common-session. I had to check pam-0.80-6selinux1.i586.rpm for that, which doesn't show me any /etc/pam.d/SERVICENAME files. If you could post the contents of your /etc/pam.d/login that would come in handy.
Here it is:

#%PAM-1.0
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so
account required /lib/security/pam_access.so
 
Old 10-24-2005, 06:38 PM   #10
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
Quote:
do you have
session required pam_limits.so

in /etc/pam.d/{login,sshd}
http://www.experts-exchange.com/Secu..._21416699.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
no /etc/limits ? Mig21 Slackware 7 07-25-2005 11:18 PM
RAID Limits jtl60047 Linux - General 2 08-21-2004 09:06 PM
getrlimit is setting soft and hard limits to -1, why? FunkMeisterMaz Programming 2 03-22-2004 06:34 AM
Limits on certain ip connections. newhost Linux - Security 3 03-09-2003 03:56 PM
Bandwidth Limits by IP Bomber Linux - Networking 3 01-16-2002 02:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration