Walker News

How To Limit Linux Resource Availability For User Account?

Linux ulimit setting allows administrator controls system resource availability for respective user accounts. With a proper configuration, ulimit helps to maintain system stability and potentially avoid system downtime caused by standard (non-root) user accounts.

The fork bomb, for example, is one of the most common denial-of-service attack that can be avoided on Linux system if ulimit is configured to limit the maximum number of processes available to a single user, says 300 in this example:
ulimit -u 300

Hard limit VS soft limit

There are two types of limit, known as hard and soft limit, for any system resources controlled by ulimit.

Once the hard limit of a given resource is set by root ID at command prompt or defined in /etc/security/limits.conf file before last system boot-up, it cannot be changed to a higher value by standard (non-root) user account. The soft limit can be changed on-the-fly but the value cannot exceed the hard limit.

On RedHat Linux (RHEL 5.2), for example, the -H and -S command options are used to deal with hard and soft limit accordingly:
  • ulimit -Sa displays all current soft limit.
  • ulimit -Ha reports all current hard limit.
  • ulimit -Sc prints soft limit of max. core file size.
  • ulimit -Su 300 defines soft limit of max. process to 300.
  • ulimit -t 100 configures both hard and soft limit of max. CPU time to 100 seconds, provided its hard limit defined by limits.conf file or root ID is any value higher than 100.

Only root ID can explicitly use -H option switch to change hard limit and it cannot override the hard limit defined for standard users by limits.conf file. Normally, Linux administrator defines ulimit of a given resource for standard user in /etc/security/limits.conf file, for example:
walker   hard   nproc   6000

defines the hard limit of max. number of processes for “walker” user account and thus “walker” neither can run more than 6000 processes at one time nor to change this hard limit higher than 6000.

The limits.conf file usually contains the list of system resource name for reference, e.g. “nproc” for max. number of processes, “nofile” for max. number of open files, “core” for max. core file size, etc.

Custom Search

2016  •  Privacy Policy