diff options
Diffstat (limited to 'doc/modules/pam_limits.sgml')
| -rw-r--r-- | doc/modules/pam_limits.sgml | 247 |
1 files changed, 0 insertions, 247 deletions
diff --git a/doc/modules/pam_limits.sgml b/doc/modules/pam_limits.sgml deleted file mode 100644 index 3678376a..00000000 --- a/doc/modules/pam_limits.sgml +++ /dev/null @@ -1,247 +0,0 @@ -<!-- - $Id$ - - This file was written by Andrew G. Morgan <morgan@kernel.org> - from information compiled by Cristian Gafton (author of module) ---> - -<sect1>The resource limits module - -<sect2>Synopsis - -<p> -<descrip> - -<tag><bf>Module Name:</bf></tag> -<tt/pam_limits/ - -<tag><bf>Authors:</bf></tag> -Cristian Gafton <gafton@redhat.com> <newline> -Thanks are also due to Elliot Lee <sopwith@redhat.com> -for his comments on improving this module. - -<tag><bf>Maintainer:</bf></tag> -Cristian Gafton - 1996/11/20 - -<tag><bf>Management groups provided:</bf></tag> -session - -<tag><bf>Cryptographically sensitive:</bf></tag> - -<tag><bf>Security rating:</bf></tag> - -<tag><bf>Clean code base:</bf></tag> - -<tag><bf>System dependencies:</bf></tag> -requires an <tt>/etc/security/limits.conf</tt> file and kernel support -for resource limits. - -<tag><bf>Network aware:</bf></tag> - -</descrip> - -<sect2>Overview of module - -<p> -This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets -limits on the system resources that can be obtained in a -user-session. Its actions are dictated more explicitly through the -configuration file discussed below. - -<sect2>Session component - -<p> -<descrip> - -<tag><bf>Recognized arguments:</bf></tag> -<tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>; -<tt>utmp_early</tt> - -<tag><bf>Description:</bf></tag> - -Through the contents of the configuration file, -<tt>/etc/security/limits.conf</tt>, resource limits are placed on -users' sessions. Users of <tt/uid=0/ are not affected by this -restriction. - -<p> -The behavior of this module can be modified with the following -arguments: -<itemize> - -<item><tt/debug/ - -verbose logging to <tt/syslog(3)/. - -<item><tt>conf=/path/to/file.conf</tt> - -indicate an alternative <em/limits/ configuration file to the default. - -<item><tt/change_uid/ - -change real uid to the user for who the limits are set up. Use this -option if you have problems like login not forking a shell for user -who has no processes. Be warned that something else may break when -you do this. - -<item><tt/utmp_early/ - -some broken applications actually allocate a utmp entry for the user -before the user is admitted to the system. If some of the services you -are configuring PAM for do this, you can selectively use this module -argument to compensate for this behavior and at the same time maintain -system-wide consistency with a single limits.conf file. - -</itemize> - -<tag><bf>Examples/suggested usage:</bf></tag> - -In order to use this module the system administrator must first create -a <em/root-only-readable/ file (default is -<tt>/etc/security/limits.conf</tt>). This file describes the resource -limits the superuser wishes to impose on users and groups. No limits -are imposed on <tt/uid=0/ accounts. - -<p> -Each line of the configuration file describes a limit for a user in -the form: -<tscreen> -<verb> -<domain> <type> <item> <value> -</verb> -</tscreen> - -<p> -The fields listed above should be filled as follows...<newline> -<tt><domain></tt> can be: -<itemize> -<item> a username -<item> a groupname, with <tt>@group</tt> syntax -<item> the wild-card <tt/*/, for default entry -<item> the wild-card <tt/%/, for maxlogins limit only, -can also be used with <tt>%group</tt> syntax -</itemize> - -<p> -<tt><type></tt> can have the three values: -<itemize> - -<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits -are set by the superuser and enforced by the Linux Kernel. The user -cannot raise his requirement of system resources above such values. - -<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits -are ones that the user can move up or down within the permitted range -by any pre-exisiting <em/hard/ limits. The values specified with this -token can be thought of as <em/default/ values, for normal system -usage. - -<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits -together. - -</itemize> - -<p> -<tt><item></tt> can be one of the following: -<itemize> -<item><tt/core/ - limits the core file size (KB) -<item><tt/data/ - max data size (KB) -<item><tt/fsize/ - maximum filesize (KB) -<item><tt/memlock/ - max locked-in-memory address space (KB) -<item><tt/nofile/ - max number of open files -<item><tt/rss/ - max resident set size (KB) -<item><tt/stack/ - max stack size (KB) -<item><tt/cpu/ - max CPU time (MIN) -<item><tt/nproc/ - max number of processes -<item><tt/as/ - address space limit -<item><tt/maxlogins/ - max number of logins for this user -<item><tt/maxsyslogins/ - max number of logins on system -<item><tt/priority/ - the priority to run user process with (negative -values boost process priority) -<item><tt/locks/ - max locked files (Linux 2.4 and higher) -</itemize> - -<p> -Note, if you specify a type of ``-'' but neglect to supply the -<tt/item/ and <tt/value/ fields then the module will never enforce any -limits on the corresponding user/group-members etc. . Note, the first -entry of the form which applies to the authenticating user will -override all other entries in the limits configuration file. In such -cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/. - -<p> -In general, individual limits have priority over group limits, so if -you impose no limits for <tt/admin/ group, but one of the members in -this group have a limits line, the user will have its limits set -according to this line. - -<p> -Also, please note that all limit settings are set <em/per login/. -They are not global, nor are they permanent; existing only for the -duration of the session. - -<p> -In the <em/limits/ configuration file, the ``<tt/#/'' character -introduces a comment - after which the rest of the line is ignored. - -<p> -The <tt/pam_limits/ module does its best to report configuration -problems found in its configuration file via <tt/syslog(3)/. - -<p> -The following is an example configuration file: -<tscreen> -<verb> -# EXAMPLE /etc/security/limits.conf file: -# ======================================= -# <domain> <type> <item> <value> -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 -</verb> -</tscreen> -Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource -(see <tt/@faculty/) -- this establishes the <em/default/ and permitted -<em/extreme/ level of resources that the user can obtain in a given -service-session. - -<p> -Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when -used for maxlogins limit -<itemize> -<item> <tt/*/ every user -<item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified -</itemize> -See the following examples: -<tscreen> -<verb> -# EXAMPLE /etc/security/limits.conf file: -# <domain> <type> <item> <value> -* - maxlogins 2 -@faculty - maxlogins 4 -% - maxlogins 30 -%student - maxlogins 10 -</verb> -</tscreen> -Explanation: every user can login 2 times, members of the <tt/faculty/ -group can login 4 times, there can be only 30 logins, only 10 from -<tt/students/ group. - -<p> -For the services that need resources limits (login for example) put -the following line in <tt>/etc/pam.conf</tt> as the last line for that -service (usually after the pam_unix session line: -<tscreen> -<verb> -# -# Resource limits imposed on login sessions via pam_limits -# -login session required pam_limits.so -</verb> -</tscreen> - -</descrip> - -<!-- -End of sgml insert for this module. ---> |