ulimit strangeness

Magnus Therning magnus at therning.org
Thu Aug 18 17:41:11 CDT 2005 

On Thu, Aug 18, 2005 at 01:58:48PM -0400, Spudgun wrote:
>
>To stop 'forkbomb' attacks, my limits.conf looks like this:
>
>
>
>
>Code:
>--------------------
>    # /etc/security/limits.conf
>  #
>  #Each line describes a limit for a user in the form:
>  #
>  #<domain>        <type>  <item>  <value>
>  #
>  #Where:
>  #<domain> can be:
>  #        - an user name
>  #        - a group name, with @group syntax
>  #        - the wildcard *, for default entry
>  #        - the wildcard %, can be also used with %group syntax,
>  #                 for maxlogin limit
>  #
>  #<type> can have the two values:
>  #        - "soft" for enforcing the soft limits
>  #        - "hard" for enforcing hard limits
>  #
>  #<item> can be one of the following:
>  #        - core - limits the core file size (KB)
>  #        - data - max data size (KB)
>  #        - fsize - maximum filesize (KB)
>  #        - memlock - max locked-in-memory address space (KB)
>  #        - nofile - max number of open files
>  #        - rss - max resident set size (KB)
>  #        - stack - max stack size (KB)
>  #        - cpu - max CPU time (MIN)
>  #        - nproc - max number of processes
>  #        - as - address space limit
>  #        - maxlogins - max number of logins for this user
>  #        - priority - the priority to run user process with
>  #        - locks - max number of file locks the user can hold
>  #
>
>  #<domain>      <type>  <item>         <value>
>  #
>  
>  #*               soft    core            0
>  #*               hard    rss             10000
>  #@student        hard    nproc           20
>  #@faculty        soft    nproc           20
>  #@faculty        hard    nproc           50
>  #ftp             hard    nproc           0
>  #@student        -       maxlogins       4
>  
>  # End of file
>  # prevent core dumps
>  *	hard	core	0
>  
>  #limit user processes per user to 150
>  *	soft	nproc	100
>  *	hard	nproc	150
>--------------------

It might also be a good idea to limit the number of simultaneous logins
a user can have since IIRC the nproc limit can be circumvented by
logging in multiple times.

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

Leaders are visionaries with a poorly developed sense of fear and no
concept of the odds against them.
     -- Dr. Robert Jarvik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050818/58e1945c/attachment.pgp

More information about the ubuntu-devel mailing list