john.johansen at canonical.com
Wed Sep 9 18:47:25 UTC 2009
Kees Cook wrote:
> On Wed, Sep 09, 2009 at 02:13:24PM -0400, Etienne Goyer wrote:
>> Limits that you set in /etc/security/limits.conf are applied by the
>> pam_limits.so PAM module. The PAM stack is configured in the various
>> files you can find under /etc/pam.d/. Explaining how to configure PAM
>> would be a bit long, so I refer you to the Linux PAM System
>> Administrator Guide I linked to in my previous post for further details.
>> That being said, I am afraid my last post was misleading, because PAM do
>> not apply to daemons and services started by init AFAIK. As such, I am
>> not sure how you would impose ulimit on daemon, but that is surely not
>> through /etc/security/limits.conf. I will leave it to someone else to
>> suggest a proper approach for your use-case.
> While start-stop-daemon does not yet support setting ulimits, you
> should be able to add a ulimit call to your service's init script
> directly. Though that is a bit of a hack. :)
> In the future, once services have migrated to using Upstart, you can
> set limits more easily. (See "limit")
Also if you want to confine the service you can set the ulimit using AppArmor.
In the profile you can add the line
set rlimit nofile 3200,
More information about the ubuntu-server