Kees Cook kees.cook at canonical.com
Wed Sep 9 18:38:23 UTC 2009


On Wed, Sep 09, 2009 at 02:13:24PM -0400, Etienne Goyer wrote:
> Limits that you set in /etc/security/limits.conf are applied by the
> pam_limits.so PAM module.  The PAM stack is configured in the various
> files you can find under /etc/pam.d/.  Explaining how to configure PAM
> would be a bit long, so I refer you to the Linux PAM System
> Administrator Guide I linked to in my previous post for further details.
> That being said, I am afraid my last post was misleading, because PAM do
> not apply to daemons and services started by init AFAIK.  As such, I am
> not sure how you would impose ulimit on daemon, but that is surely not
> through /etc/security/limits.conf.  I will leave it to someone else to
> suggest a proper approach for your use-case.

While start-stop-daemon does not yet support[1] setting ulimits, you
should be able to add a ulimit call to your service's init script
directly.  Though that is a bit of a hack.  :)

In the future, once services have migrated to using Upstart, you can
set limits more easily.  (See "limit"[2])


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302079
[2] http://upstart.ubuntu.com/wiki/Stanzas

Kees Cook
Ubuntu Security Team

More information about the ubuntu-server mailing list