21.3 Objective 3: Set Up User-Level
Security
Even after you've
taken the precautions listed earlier, the potential for valid
users of your system to cause problems by consuming resources
still exists. Such a problem could be accidental, but if it
happens intentionally, it is called a Denial of Service (DoS) attack. For
example, a user could create processes that replicate
themselves and never exit. Eventually your system would grind
to a halt because of thousands of processes, each trying to
create more clones. You could also have a user begin
allocating memory until the system cannot cope with the
requests. In either case, you'd probably need to restart the
system, if it responds at all. Clearly, prevention is more
desirable for everyone.
You can prevent these scenarios without undue
restrictions on users by using ulimit. This is a bash
built-in command that sets
maximums on various system resources for users. To enforce
limits on users, include ulimit
commands in /etc/profile.
Syntaxulimit [options] [limit]
Description
The bash built-in ulimit provides control over
resources available to the shell and its child processes. For
each resource, two limits may be set: a hard limit and a soft limit. Hard limits can be
changed only by the superuser; soft limits may be increased by
users up to the value of the hard limit. Hard and soft limits
are specified with the special -H and -S options, respectively. Other
options specify specific limits. If an option is provided with
a limit value, the corresponding limit is set. If
limit is not provided, the current limit is displayed.
limit is either the special word unlimited or a
numeric value.
Options
- -H
-
Specify the hard limit. Unless -H is specified, the soft limit is
assumed.
- -S
-
Explicitly specify the soft limit. This is
the default.
- -a
-
Display all current limits. This option
does not accept a limit value.
- -f
-
The maximum size of files created by the
shell. This is the default resource if options are not
specified.
- -u
-
The maximum number of processes available
to a single user.
- -v
-
The maximum amount of virtual memory
available to the shell.
Example 1
Display all limits for an account: $ ulimit -a
core file size (blocks) 1000000
data seg size (kbytes) unlimited
file size (blocks) unlimited
max memory size (kbytes) unlimited
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes 256
pipe size (512 bytes) 8
open files 1024
virtual memory (kbytes) 2105343
Example 2
Set the maximum number of processes to
128: $ ulimit -Hu 128
Example 3
Set the maximum working number of processes
to 128 but allow the user to raise his limit as high as 150:
$ ulimit -Su 128
$ ulimit -Hu 150
|