pam_limits.so

The pam_limits.so module is part of the Pluggable Authentication Modules (PAM) framework on Unix-like systems. It allows administrators to set and enforce resource limits (such as maximum number of processes, maximum CPU time, and maximum file size) for user sessions. Here’s an overview of pam_limits.so, its purpose, configuration, and significance:

Purpose of pam_limits.so

The main purpose of pam_limits.so is to:

  • Enforce system-wide resource limits on a per-user or per-group basis.

  • Enhance security and stability by preventing users or processes from consuming excessive resources.

  • Customize resource limits for specific user sessions without modifying global system settings.

Key Features and Functionality

  1. Resource Limitation: pam_limits.so enables administrators to specify limits for various system resources, including:

    • Maximum CPU time (maxcpu)

    • Maximum number of simultaneous processes (maxproc)

    • Maximum size of core files (core)

    • Maximum size of data segments (data)

    • Maximum size of file locks (fsize)

    • Maximum number of open files (nofile)

    • Maximum number of locked memory pages (memlock)

    • Maximum number of pending signals (sigpending)

    • Maximum number of queued signals (msgqueue)

  2. Configuration Options: The configuration of pam_limits.so is typically managed through the /etc/security/limits.conf file, where administrators can define limits for specific users or groups. However, pam_limits.so itself is enabled through PAM configuration files (/etc/pam.d/ directory).

  3. Soft and Hard Limits: Similar to /etc/security/limits.conf, pam_limits.so supports soft and hard limits:

    • Soft Limits: Advisory limits that can be exceeded temporarily.

    • Hard Limits: Absolute limits that cannot be exceeded.

  4. Integration with PAM: pam_limits.so integrates with the PAM framework, allowing administrators to enforce resource limits during the authentication and session setup phases of user login.

Configuration Example

To enable pam_limits.so for setting resource limits, you would typically configure the appropriate PAM file (/etc/pam.d/common-session or similar) to include the following line:

session required pam_limits.so

Then, configure resource limits in /etc/security/limits.conf. For example:

# Allow core dumps, but set the limit for all users
* soft core 0
* hard core unlimited

# Limit maximum number of processes for all users
* soft nproc 100
* hard nproc 200

# Limit maximum number of open files for all users
* soft nofile 1024
* hard nofile 4096

Security Considerations

  • Impact Assessment: Understand the impact of setting limits on users and processes before applying them.

  • Testing: Test limits in a controlled environment to ensure they do not adversely affect system functionality or user workflows.

  • Monitoring: Monitor system logs and performance after applying limits to detect any unexpected behavior or resource contention.

Conclusion

pam_limits.so is a valuable component of the PAM framework, allowing administrators to enforce resource limits for user sessions on Unix-like systems. By configuring pam_limits.so appropriately, administrators can enhance system security and stability by preventing resource abuse and ensuring fair resource allocation.

Previouspam_ecryptfsNextpam_tty_audit.so

Last updated