下面我们先看看这个模块的说明:
模块名称:
pam_limits
系统倚赖:
需要一个 /etc/security/limits.conf 文件 和内核对资源限制的支持,同时也需要使用 libpwdb 库
接收的参数:
debug; conf=/path/to/file.conf
描述:
通过读取配置文件: /etc/security/limits.conf, 能够对用户的session进行资源限制. 但是uid=0的用户的资源不进行限制 .
通过以下参数可以修改这个模块的属性:
* debug - verbose logging to syslog(3).
* conf=/path/to/file.conf - indicate an alternative limits configuration file to the default.
* change_uid - change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this.
建议使用方法:
首先应该有个一个仅root用户能读的文件 (默认是 /etc/security/limits.conf). 这个文件定义了限制的规则.
每行都定义了一个针对用户或组的限制
* 一个用户名
* 一个组名,格式如下 @group
* 匹配模式 "*", 给默认的设置
* hard for enforcing hard resource limits. 这些限制由超级用户设置,内核负责强制执行.用户无法改变他们对系统资源的最高使用限额 .
* soft for enforcing soft resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-exisiting hard limits. The values specified with this token can be thought of as default values, for normal system usage.
* - for enforcing both soft and hard limits together.
* core - limits the core file size (KB)
* data - max data size (KB)
* fsize - maximum filesize (KB)
* memlock - max locked-in-memory address space (KB)
* nofile - max number of open files
* rss - max resident set size (KB)
* stack - max stack size (KB)
* cpu - max CPU time (MIN)
* nproc - max number of processes
* as - address space limit
* maxlogins - max number of logins for this user.
* priority - the priority to run user process with
这些限制是基于每个LOGIN 的,而并非全局的设置.
示例文件:
# EXAMPLE /etc/security/limits.conf file:
# =======================================
#
* soft core 0
* hard rss 10000
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
然后再来看看我们系统中哪里使用了这个模块.
[cat /etc/pam.d/syatem-auth]
如果你看到这行:
session required /lib/security/$ISA/pam_limits.so
那么说明你的系统已经可以使用这个限制的机制了.
你所要做的仅仅是修改/etc/security/limits.conf 文件.