One of the tools admins have at their disposal on Linux to set hard and soft limits for users is the pam_limits
module. Basically, pam_limits
sets parameters on system resources on a per-user (or per-group) basis. Using these tools, you can limit everything, from the maximum number of files a user can have open to the amount of CPU time.
When setting up or managing multi-user systems, you might want to set some resource constraints for users on the system. Using the pam_limits
module, you can do that for many of the resources you might want to constrain. (There is, of course, more than one way to skin a cat–so to speak–but this is one of the easiest ways to go about it.)
What you want to do is start by enabling the pam_limits.so
module for each service. For example, here’s how it’s set up on my Ubuntu system for sshd
:
session required pam_limits.so
That’s placed in the file /etc/pam.d/sshd
.
After that, you need to specify the users and the limits you want to use. For that, at least on Debian-type systems, you’ll want to edit /etc/security/limits.conf
.
Again, here’s an example taken from the Debian sample configuration:
* soft core 0 |
The first field specifies the user or users affected. The *
character is a wildcard that specifies all users. That includes UID 0, better known as root. The @
syntax specifies a group–so you get all members of that group instead of having to specify individual users. It would be insane to try to manage, all students individually, for example. So you want to use the group syntax whenever possible.
But you can also use limits.conf to nail down the limits for accounts like ftp
, when system services are tied to users.
The next field specifies whether a limit is hard or soft. Be careful with hard limits. You might want to start with a soft limit before moving to a hard limit just to ensure you won’t, say, bring a system to a halt because a process can’t spawn any more children. Note that you don’t have to specify hard or soft, some limits can be left with -
.
Next, you’ve got the item that’s being limited. See the limits.conf
man page for all the options, but you can specify everything from the maximum number of logins for a user to the priority that the user might run processes with, or the maximum file size.
Finally, the last field is the value for the limit. Use whatever values make sense here. For example, limiting users to four logins simultaneously.
A tip of the hat to Nikesh Jauhari for inspiring this week’s column. It’s been a while since I looked at this feature. If you’re administering a Linux box, this is an easy way to nail down resources on your system without much added work.
Joe ‘Zonker’ Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at jzb@zonker.net and follow him on Twitter.