21.3. Objective 3: Set Up User-level Security Even after you've taken the precautions listed earlier, the potential for valid users of your system to cause problems by consuming resources still exists. Such a problem could be accidental, but if it happens intentionally, it is called a denial of service (DoS) attack. For example, a user could create processes that replicate themselves and never exit. Eventually your system would grind to a halt because of thousands of processes, each trying to create more clones. You could also have a user begin allocating memory until the system cannot cope with the requests. In either case, you'd probably need to restart the system, if it responds at all. Clearly, prevention is more desirable for everyone. You can prevent these scenarios without undue restrictions on users by using ulimit . This is a bash built-in command that sets maximums on various system resources for users. To enforce limits on users, include ulimit commands in /etc/profile.
Syntax ulimit [options] [limit]
Description The bash built-in ulimit provides control over resources available to the shell and its child processes. For each resource, two limits may be set: a hard limit and a soft limit. Hard limits can be changed only by the superuser; soft limits may be increased by users up to the value of the hard limit. Hard and soft limits are specified with the special -H and -S options, respectively. Other options specify specific limits. If an option is provided with a limit value, the corresponding limit is set. If limit is not provided, the current limit is displayed. limit is either the special word unlimited or a numeric value.
Options
-a Display all current limits. This option does not accept a limit value.
-f The maximum size of files created by the shell. This is the default resource if options are not specified.
-u The maximum number of processes available to a single user.
-v The maximum amount of virtual memory available to the shell.
-H Specify the hard limit. Unless -H is specified, the soft limit is assumed.
-S Explicitly specify the soft limit. This is the default.
Example 1 Display all limits for an account: $ ulimit -a core file size (blocks) 1000000 data seg size (kbytes) unlimited file size (blocks) unlimited max memory size (kbytes) unlimited stack size (kbytes) 8192 cpu time (seconds) unlimited max user processes 256 pipe size (512 bytes) 8 open files 1024 virtual memory (kbytes) 2105343
Example 2 Set the maximum number of processes to 128: $ ulimit -Hu 128
Example 3 Set the maximum working number of processes to 128 but allow the user to raise her limit as high as 150: $ ulimit -Su 128 $ ulimit -Hu 150
|
