Setting Limits on Users

So far, the security concerns we have discussed regarding a Linux system have all revolved around the filesystem. Since everything in Linux is a file, this makes sense. However, security isn’t solely concerned with which user can access what resource at what time. Security must also take into consideration the sharing of resources among users (both system and human users). A good security administrator will ensure that no insecure SUID or SGID binaries exist on his system that could give a normal user root access. But what measures are in place to ensure that a normal user doesn’t run so many processes that a server is ground to a halt? What exists to make sure a user doesn’t open so many network sockets that no memory is available to allocate to new connections? At first these might seem like capacity planning issues, but when we are dealing with systems that reside in a hostile environment (such as the Internet), they become the responsibility of the security administrator.

The Linux kernel has the ability to control many limits on what users can and can’t do. These limits are defined in the file /etc/security/limits.conf and are viewed or modified interactively by the ulimit command. ulimit is a command built into the bash shell, so it does not exist as a separate binary on a Linux system.

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.