diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/pam_limits/limits.conf.5 | 349 | ||||
| -rw-r--r-- | modules/pam_limits/limits.conf.5.xml | 360 |
2 files changed, 709 insertions, 0 deletions
diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 new file mode 100644 index 0000000..a4a0ed3 --- /dev/null +++ b/modules/pam_limits/limits.conf.5 @@ -0,0 +1,349 @@ +'\" t +.\" Title: limits.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "LIMITS\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +limits.conf \- configuration file for the pam_limits module +.SH "DESCRIPTION" +.PP +The +\fIpam_limits\&.so\fR +module applies ulimit limits, nice priority and number of simultaneous login sessions limit to user login sessions\&. This description of the configuration file syntax applies to the +/etc/security/limits\&.conf +file and +*\&.conf +files in the +/etc/security/limits\&.d +directory\&. +.PP +The syntax of the lines is as follows: +.PP +\fI<domain>\fR +\fI<type>\fR +\fI<item>\fR +\fI<value>\fR +.PP +The fields listed above should be filled as follows: +.PP +\fB<domain>\fR +.RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a username +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a groupname, with +\fB@group\fR +syntax\&. This should not be confused with netgroups\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +the wildcard +\fB*\fR, for default entry\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +the wildcard +\fB%\fR, for maxlogins limit only, can also be used with +\fB%group\fR +syntax\&. If the +\fB%\fR +wildcard is used alone it is identical to using +\fB*\fR +with maxsyslogins limit\&. With a group specified after +\fB%\fR +it limits the total number of logins of all users that are member of the group\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +an uid range specified as +\fI<min_uid>\fR\fB:\fR\fI<max_uid>\fR\&. If min_uid is omitted, the match is exact for the max_uid\&. If max_uid is omitted, all uids greater than or equal min_uid match\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a gid range specified as +\fB@\fR\fI<min_gid>\fR\fB:\fR\fI<max_gid>\fR\&. If min_gid is omitted, the match is exact for the max_gid\&. If max_gid is omitted, all gids greater than or equal min_gid match\&. For the exact match all groups including the user\*(Aqs supplementary groups are examined\&. For the range matches only the user\*(Aqs primary group is examined\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a gid specified as +\fB%:\fR\fI<gid>\fR +applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. +.RE +.RE +.PP +\fB<type>\fR +.RS 4 +.PP +\fBhard\fR +.RS 4 +for enforcing +\fBhard\fR +resource limits\&. These limits are set by the superuser and enforced by the Kernel\&. The user cannot raise his requirement of system resources above such values\&. +.RE +.PP +\fBsoft\fR +.RS 4 +for enforcing +\fBsoft\fR +resource limits\&. These limits are ones that the user can move up or down within the permitted range by any pre\-existing +\fBhard\fR +limits\&. The values specified with this token can be thought of as +\fIdefault\fR +values, for normal system usage\&. +.RE +.PP +\fB\-\fR +.RS 4 +for enforcing both +\fBsoft\fR +and +\fBhard\fR +resource limits together\&. +.sp +Note, if you specify a type of \*(Aq\-\*(Aq but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\&. \&. +.RE +.RE +.PP +\fB<item>\fR +.RS 4 +.PP +\fBcore\fR +.RS 4 +limits the core file size (KB) +.RE +.PP +\fBdata\fR +.RS 4 +maximum data size (KB) +.RE +.PP +\fBfsize\fR +.RS 4 +maximum filesize (KB) +.RE +.PP +\fBmemlock\fR +.RS 4 +maximum locked\-in\-memory address space (KB) +.RE +.PP +\fBnofile\fR +.RS 4 +maximum number of open file descriptors +.RE +.PP +\fBrss\fR +.RS 4 +maximum resident set size (KB) (Ignored in Linux 2\&.4\&.30 and higher) +.RE +.PP +\fBstack\fR +.RS 4 +maximum stack size (KB) +.RE +.PP +\fBcpu\fR +.RS 4 +maximum CPU time (minutes) +.RE +.PP +\fBnproc\fR +.RS 4 +maximum number of processes +.RE +.PP +\fBas\fR +.RS 4 +address space limit (KB) +.RE +.PP +\fBmaxlogins\fR +.RS 4 +maximum number of logins for this user (this limit does not apply to user with +\fIuid=0\fR) +.RE +.PP +\fBmaxsyslogins\fR +.RS 4 +maximum number of all logins on system; user is not allowed to log\-in if total number of all user logins is greater than specified number (this limit does not apply to user with +\fIuid=0\fR) +.RE +.PP +\fBnonewprivs\fR +.RS 4 +value of 0 or 1; if set to 1 disables acquiring new privileges by invoking prctl(PR_SET_NO_NEW_PRIVS) +.RE +.PP +\fBpriority\fR +.RS 4 +the priority to run user process with (negative values boost process priority) +.RE +.PP +\fBlocks\fR +.RS 4 +maximum locked files (Linux 2\&.4 and higher) +.RE +.PP +\fBsigpending\fR +.RS 4 +maximum number of pending signals (Linux 2\&.6 and higher) +.RE +.PP +\fBmsgqueue\fR +.RS 4 +maximum memory used by POSIX message queues (bytes) (Linux 2\&.6 and higher) +.RE +.PP +\fBnice\fR +.RS 4 +maximum nice priority allowed to raise to (Linux 2\&.6\&.12 and higher) values: [\-20,19] +.RE +.PP +\fBrtprio\fR +.RS 4 +maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) +.RE +.RE +.PP +All items support the values +\fI\-1\fR, +\fIunlimited\fR +or +\fIinfinity\fR +indicating no limit, except for +\fBpriority\fR, +\fBnice\fR, and +\fBnonewprivs\fR\&. If +\fBnofile\fR +is to be set to one of these values, it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3))\&. +.PP +If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur\&. If the control value +\fIrequired\fR +is used, the module will reject the login if a limit could not be set\&. +.PP +In general, individual limits have priority over group limits, so if you impose no limits for +\fIadmin\fR +group, but one of the members in this group have a limits line, the user will have its limits set according to this line\&. +.PP +Also, please note that all limit settings are set +\fIper login\fR\&. They are not global, nor are they permanent; existing only for the duration of the session\&. One exception is the +\fImaxlogin\fR +option, this one is system wide\&. But there is a race, concurrent logins at the same time will not always be detect as such but only counted as one\&. +.PP +In the +\fIlimits\fR +configuration file, the \*(Aq\fB#\fR\*(Aq character introduces a comment \- after which the rest of the line is ignored\&. +.PP +The pam_limits module does report configuration problems found in its configuration file and errors via +\fBsyslog\fR(3)\&. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +/etc/security/limits\&.conf\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +* soft core 0 +* hard nofile 512 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student \- maxlogins 4 +@student \- nonewprivs 1 +:123 hard cpu 5000 +@500: soft cpu 10000 +600:700 hard locks 10 + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBpam_limits\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8), +\fBgetrlimit\fR(2), +\fBgetrlimit\fR(3p) +.SH "AUTHOR" +.PP +pam_limits was initially written by Cristian Gafton <gafton@redhat\&.com> diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml new file mode 100644 index 0000000..c5bd676 --- /dev/null +++ b/modules/pam_limits/limits.conf.5.xml @@ -0,0 +1,360 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="limits.conf"> + + <refmeta> + <refentrytitle>limits.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>limits.conf</refname> + <refpurpose>configuration file for the pam_limits module</refpurpose> + </refnamediv> + + <refsect1 id='limits.conf-description'> + <title>DESCRIPTION</title> + <para> + The <emphasis>pam_limits.so</emphasis> module applies ulimit limits, + nice priority and number of simultaneous login sessions limit to user + login sessions. This description of the configuration file syntax + applies to the <filename>/etc/security/limits.conf</filename> file and + <filename>*.conf</filename> files in the + <filename>/etc/security/limits.d</filename> directory. + </para> + <para> + The syntax of the lines is as follows: + </para> + <para> + <replaceable><domain></replaceable> <replaceable><type></replaceable> + <replaceable><item></replaceable> <replaceable><value></replaceable> + </para> + <para> + The fields listed above should be filled as follows: + </para> + <variablelist> + <varlistentry> + <term> + <option><domain></option> + </term> + <listitem> + <itemizedlist> + <listitem> + <para> + a username + </para> + </listitem> + <listitem> + <para> + a groupname, with <emphasis remap='B'>@group</emphasis> syntax. + This should not be confused with netgroups. + </para> + </listitem> + <listitem> + <para> + the wildcard <emphasis remap='B'>*</emphasis>, for default entry. + </para> + </listitem> + <listitem> + <para> + the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, + can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the + <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical + to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With + a group specified after <emphasis remap='B'>%</emphasis> it limits the total + number of logins of all users that are member of the group. + </para> + </listitem> + <listitem> + <para> + an uid range specified as <replaceable><min_uid></replaceable><emphasis + remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid + is omitted, the match is exact for the max_uid. If max_uid is omitted, all + uids greater than or equal min_uid match. + </para> + </listitem> + <listitem> + <para> + a gid range specified as <emphasis + remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis + remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid + is omitted, the match is exact for the max_gid. If max_gid is omitted, all + gids greater than or equal min_gid match. For the exact match all groups including + the user's supplementary groups are examined. For the range matches only + the user's primary group is examined. + </para> + </listitem> + <listitem> + <para> + a gid specified as <emphasis + remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable + to maxlogins limit only. It limits the total number of logins of all users + that are member of the group with the specified gid. + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option><type></option> + </term> + <listitem> + <variablelist> + <varlistentry> + <term><option>hard</option></term> + <listitem> + <para> + for enforcing <emphasis remap='B'>hard</emphasis> resource limits. + These limits are set by the superuser and enforced by the Kernel. + The user cannot raise his requirement of system resources above such values. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>soft</option></term> + <listitem> + <para> + for enforcing <emphasis remap='B'>soft</emphasis> resource limits. + These limits are ones that the user can move up or down within the + permitted range by any pre-existing <emphasis remap='B'>hard</emphasis> + limits. The values specified with this token can be thought of as + <emphasis>default</emphasis> values, for normal system usage. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-</option></term> + <listitem> + <para> + for enforcing both <emphasis remap='B'>soft</emphasis> and + <emphasis remap='B'>hard</emphasis> resource limits together. + </para> + <para> + Note, if you specify a type of '-' but neglect to supply the + item and value fields then the module will never enforce any + limits on the specified user/group etc. . + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option><item></option> + </term> + <listitem> + <variablelist> + <varlistentry> + <term><option>core</option></term> + <listitem> + <para>limits the core file size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>data</option></term> + <listitem> + <para>maximum data size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>fsize</option></term> + <listitem> + <para>maximum filesize (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>memlock</option></term> + <listitem> + <para>maximum locked-in-memory address space (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nofile</option></term> + <listitem> + <para>maximum number of open file descriptors</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>rss</option></term> + <listitem> + <para>maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>stack</option></term> + <listitem> + <para>maximum stack size (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>cpu</option></term> + <listitem> + <para>maximum CPU time (minutes)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nproc</option></term> + <listitem> + <para>maximum number of processes</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>as</option></term> + <listitem> + <para>address space limit (KB)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>maxlogins</option></term> + <listitem> + <para>maximum number of logins for this user (this limit does + not apply to user with <emphasis>uid=0</emphasis>)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>maxsyslogins</option></term> + <listitem> + <para>maximum number of all logins on system; user is not + allowed to log-in if total number of all user logins is + greater than specified number (this limit does not apply to + user with <emphasis>uid=0</emphasis>)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nonewprivs</option></term> + <listitem> + <para>value of 0 or 1; if set to 1 disables acquiring new + privileges by invoking prctl(PR_SET_NO_NEW_PRIVS)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>priority</option></term> + <listitem> + <para>the priority to run user process with (negative + values boost process priority)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>locks</option></term> + <listitem> + <para>maximum locked files (Linux 2.4 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>sigpending</option></term> + <listitem> + <para>maximum number of pending signals (Linux 2.6 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>msgqueue</option></term> + <listitem> + <para>maximum memory used by POSIX message queues (bytes) + (Linux 2.6 and higher)</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>nice</option></term> + <listitem> + <para>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>rtprio</option></term> + <listitem> + <para>maximum realtime priority allowed for non-privileged processes + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + </variablelist> + <para> + All items support the values <emphasis>-1</emphasis>, + <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit, + except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>, + and <emphasis remap='B'>nonewprivs</emphasis>. + If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values, + it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)). + </para> + <para> + If a hard limit or soft limit of a resource is set to a valid value, + but outside of the supported range of the local system, the system + may reject the new limit or unexpected behavior may occur. If the + control value <emphasis>required</emphasis> is used, the module will + reject the login if a limit could not be set. + </para> + <para> + In general, individual limits have priority over group limits, so if + you impose no limits for <emphasis>admin</emphasis> group, but one of + the members in this group have a limits line, the user will have its + limits set according to this line. + </para> + <para> + Also, please note that all limit settings are set + <emphasis>per login</emphasis>. They are not global, nor are they + permanent; existing only for the duration of the session. + One exception is the <emphasis>maxlogin</emphasis> option, this one + is system wide. But there is a race, concurrent logins at the same + time will not always be detect as such but only counted as one. + </para> + <para> + In the <emphasis>limits</emphasis> configuration file, the + '<emphasis remap='B'>#</emphasis>' character introduces a comment + - after which the rest of the line is ignored. + </para> + <para> + The pam_limits module does report configuration problems + found in its configuration file and errors via <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </refsect1> + + <refsect1 id="limits.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/limits.conf</filename>. + </para> + <programlisting> +* soft core 0 +* hard nofile 512 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student - maxlogins 4 +@student - nonewprivs 1 +:123 hard cpu 5000 +@500: soft cpu 10000 +600:700 hard locks 10 + </programlisting> + </refsect1> + + <refsect1 id="limits.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="limits.conf-author"> + <title>AUTHOR</title> + <para> + pam_limits was initially written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> +</refentry> |