Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
How can I (being root) prevent other users from changing their ulimit?
I know this is possible in UNIX, but I'm not sure about Linux (i.e.
Slackware, SUSE).  By the way, how would I do it in UNIX?  (i.e.
Solaris, Darwin, or FreeBSD)

Re: ulimit

Steven Borrelli wrote:

Quoted text here. Click to load it

You can't prevent them from changing the limits;  you can only impose a
"cap" (a hard limit) on how much of the system resources any user can use.
A user process can still change (lower, for example) its own limits.

*How* you do this, be it on a commercial Unix system, Linux of whatever
flavour, or a *BSD system, seems to me to be implementation specific.
See the "limits" manual page on Slackware (and other, perhaps?) Linux
systems for an example of one possibility.

I hope this helps ...

Sylvain Robitaille                              syl@alcor.concordia.ca
Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada

Re: ulimit

On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.security, in article

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen.  Find a real news server.

And please don't post the same question to multiple newsgroups.

Quoted text here. Click to load it

You can't.  They can _reduce_ their limits, or increase them up to
the limits you set, but it's not easy to prevent anyone from changing
them below those maximum limits.

Quoted text here. Click to load it

It's a _shell_ function, not an O/S.  You're probably running a Bourne
type shell (sh, bash, ksh, or similar), and for that the built-in
command is 'ulimit'.   For a 'c' type shell (csh, tcsh, and similar),
the command is 'limit'.

Limits are set in a login shell - so if you are using a text based
login and a Bourne shell, use /etc/profile.  If using a 'csh' shell,
use ~/.login in the users home directory. If using a 'tcsh' shell,
see the man page, as things vary as a function of how the shell is
compiled.   For a _GUI_ login (runlevel 5 in an Linux Standard Base
compliant distribution)[1], you need to look at the man page for the
display manager used (gdm, kdm, wdm, xdm, etc.) as they usually
do NOT use a shell as the place to set things - .xinitrc, .xsession,
or similar - often in the user's home directory.  For those files
that set the limits but are located _in_ the user's home directory,
you need to change ownership of that/those files to root:root, and
set the 'sticky bit' on the directory itself (chmod 1750 /home/mumble)
so that only the file _owner_ can delete the file.

Bottom line - see the man page for the shell used, and read the
sections about limits and shell invocation.

        Old guy

[1] Mandriva 2008 is an exception. The GUI login shell scripts source
~/.bash_profile - which isn't much good in a 'csh' environment, but is
a start.

Re: ulimit

Steven Borrelli wrote:
Quoted text here. Click to load it

For Linux
man limits.conf

limits.conf lives in /etc/security usually.
It applies (or could apply, depending on configuration) to any user.
It's not dependent on shell.  You can use the shell ulimit command to
change soft limits, like a previous poster said, but hard limits are
absolute maximums.

Site Timeline