Bugtraq mailing list archives
Re: limit maximum nr. of processes.
From: costan () COMM2000 IT (Andrea Costantino)
Date: Tue, 7 Sep 1999 13:49:38 +0200
On Fri, 3 Sep 1999, Alfonso Lazaro wrote:
Date: Fri, 3 Sep 1999 13:18:02 +0200 From: Alfonso Lazaro <altellez () IP6SEGURIDAD COM> To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: limit maximum nr. of processes. El dia Wed, Sep 01, 1999 at 10:53:48AM +0200, Petter Wahlman <petter () proact no> escribió: to limit the maximum number of processes you can use the Linux-PAM edit /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so you have to add the last two lines then edit /etc/security/limits.conf # /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # #<domain> <type> <item> <value> # #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 as you can see you can limit the number of process and much more like cpu, stack ...
It works fine, but if you use non-standard login such ssh it's overriden, as sshd does not look PAM plugin to start authentication. The best solution would be incorporate PAM use in sshd, and in any of the login methods allowed on a (Linux) system, but often it's not possible. So a workaround could be to easily incorporate adding some lines in /etc/profile or any automatically executed script at shell login. adding ulimit -h <some-kind-of-limit> an hard limit is set to the specified value for the given resource (see man bash). Any shell has a builtin feature to set this hard limit. Please note that this hard limit is kernel imposed, so, when is set, no user except root could raise the given value. Baciamo le mani k0
Current thread:
- limit maximum nr. of processes. Petter Wahlman (Sep 01)
- Updated Fix Information for Buffer Overflow in Netscape Enterprise and FastTrack Web Servers X-Force (Sep 02)
- Re: limit maximum nr. of processes. Alfonso Lazaro (Sep 03)
- Re: limit maximum nr. of processes. Andrea Costantino (Sep 07)
- ProFTP-1.2.0pre4 buffer overflow -- once more Renaud Deraison (Sep 07)
- Exploiting DCOM to gain Administrative rights on Windows NT 4 Mnemonix (Sep 07)