How to use ulimit utility to restrict users?

You can use ulimit command to prevent users from abusing system resources. Below I will touch two of the options;

root@deb1:~# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 15957
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 15957
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

1) Max User Processes: Once you set this, users wont be able to create processes more than this number. For instance:

#ulimit -u 150

For this change to take effect you must add this line in /etc/profile so that once the user logs out and logs in, new changes will be applied and this command will set the hard limits which a standard user cannot exceed.

Be careful about your limits. In regards to max-user-proc limit, if you set it too low you may receive such an error even during login;

-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes

Because even bash shell cannot be forked. I even saw that even though my user has 80 processes in total, setting this value to 150 caused this fork error during login. There must be something taken into account as well but I dont know at the moment what that really is.

2) Open Files: This is the max number of files a user can open. To see the hard and soft limits run;

# ulimit -H -n
4096
# ulimit -S -n
1024

Hard limits are those set by the root user and no user can exceed this limit but soft limits can be set by an ordinary user.

TIP: if you want to change/display max number of open files in system wide, you can look at the file

# cat /proc/sys/fs/file-max
204226

If you want to set limits per user, modify the file;

/etc/security/limits.conf

If you look into this file you will find pretty nice descriptions of what each option is for.

Below I have also quoted meaning of ulimit parameters from bash manual for quick reference

-a     All current limits are reported
-b     The maximum socket buffer size
-c     The maximum size of core files created
-d     The maximum size of a process's data segment
-e     The maximum scheduling priority ("nice")
-f     The maximum size of files written by the shell and its children
-i     The maximum number of pending signals
-l     The maximum size that may be locked into memory
-m     The maximum resident set size (many systems do not honor this limit)
-n     The maximum number of open file descriptors (most systems do not allow  this  value
to be set)
-p     The pipe size in 512-byte blocks (this may not be set)
-q     The maximum number of bytes in POSIX message queues
-r     The maximum real-time scheduling priority
-s     The maximum stack size
-t     The maximum amount of cpu time in seconds
-u     The maximum number of processes available to a single user
-v     The maximum amount of virtual memory available to the shell
-x     The maximum number of file locks
-T     The maximum number of threads

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.