linux poison RSS
linux poison Email

Limiting Linux System Users - limits.conf

Almost all Linux distributions ship with PAM support making it universally available. PAM limits provide a single standardized interface to setting user limits, instead of having to write complex shell configuration files (such as /etc/profile) you simply edit the "limits.conf" file. As well applying limits selectively through the command shell is very difficult, whereas with PAM applying limits globally, on groups or on individual users is quite simple. To enable PAM limits you need to add a line such as:
session        required    /lib/security/pam_limits.so
to the appropriate Pam configuration file (/etc/pam.d/sshd). You can then define limits, typically these are in "/etc/security/limits.conf" or a similar location. Because most of these limits are enforced by the shell the system cannot log all violations of limits (you will be notified in syslog when a user exceeds the number of times they are allowed to login, however you will not receive a warning if the user tries to use more disk space then they are allowed to).
The available limits are:

core -- Limits the core file size (KB); usually set to 0 for most users to prevent core dumps.
data -- Maximum data size (KB).
fsize -- Maximum file size (KB).
memlock -- Maximum locked-in-memory address space (KB).
nofile -- Maximum number of open files.
rss -- Maximum resident set size (KB).
stack -- Maximum stack size (KB).
cpu -- Maximum CPU time (MIN).
nproc -- Maximum number of processes.
as -- Address space limit.
maxlogins -- Maximum number of logins for this user or group.
priority -- The priority to run user process with.

Limits can be placed on users by listing the user name, groups by using the syntax "@group" or globally by using "*".

Example:
Limiting the number of times a user can login is strongly advised, for most situations users should not need to log in to a server more then once, and allowing them to do so let's them use more resources then you might intend. As well it can be used to detect suspicious activity, if users know they can only login once then attempts to log in multiple times can be viewed as suspicious activity (i.e. an attacker with a stolen password trying to access the account).
@users        hard    maxlogins    1
Additionally when someone violated this limit it will be logged in syslog.


1 comments:

Bob Plankers -- lonesysadmin.net said...

Limiting someone to one login is a good way to lock them out in case they get disconnected. Personally, I think it's a pretty bad idea, as there are a lot of very good, very productive reasons why people like to be logged in multiple times. Plus, scp looks like a login, so you've made it that your user cannot be logged in and transfer a file from somewhere else.

Setting some reasonable limits on number of processes is an okay idea, as is perhaps memory limits. Just be aware that limits can have some serious unintended consequences.

Post a Comment

Related Posts with Thumbnails