limits.conf configuration file is used to limit user, domain, process-related metrics. Limits.conf is related to pam_limits module.
limits.conf Configuration File
There is a configuration file named limits.conf and located at /etc/security/ . The default content of this file is as below. We can see that there are different columns named domain , type , item and value .
#<domain> <type> <item> <value> # #* soft core 0 #root hard core 100000 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #ftp - chroot /ftp #@student - maxlogins 4
As we can see all configurations are commented so they are not effective. There is also a directory which is use to store configuration files in a separate files to maintain easily. This location is /etc/security/limits.d/ . It is by default empty but we can create rules in this directory easily.
limits.conf Syntax
Limits.conf file have a simple and reliable syntax. This syntax is defined to easily set context, type, limits and related values. We will look all of this terms below.
<domain> <type> <item> <value>
Domain
While limits configuration we need to specify context. This content can be defined in various ways and various parameters. The first column of the rule is the domain. A domain can be one of the following value.
- username
- groupname
*specifies all- userid
- groupid
Type
While limiting there is two type of limit implementation. These are called hard and soft . Hard limits are set by root and enforced by kernel. The hard limits can not be exceeded. Soft limits have some range overload. But the overload can be for a little time and can not continue forever.
Item
Items are the core of limits. Items are used to specify the item the limit will be applied. For example, if we want to limit the maximum process number we will use nproc numbers. Here are some of the items that can be used to for limit operation.
fsizespecifies maximum file sizenofilespecifies maximum number of file sizecpuspecifies maximum CPU timenprocspecifies maximum number of processmaxloginsspecifies maximum number of loginsmaxsysloginsspecifies maximum number of logins for all users
Specify User For Limit
Now we can start with examples. As we stated we can limit relevant items according to the user name. In the following rule, we will specify a limit for username ismail where we specify the user name in the first column.
ismail hard core 100000
In this example we set core or CPU limit for value 1000000 for username ismail as hard
Specify Group For Limit
In this example, we can specify the limit for a user group name. This type of limitation can be useful if we want to restrict some user group names.
@apache hard nproc 20
In this example we specify apache group name to limit process number as maximum 20
Use Wildcard For Limit
While specifying the domain or the users and groups we may need to set limits for all users and groups in a system. Here we will use * or a wildcard for this.
* hard rss 10000
In this example we set rss limit for all users and groups in this systems.
Specify User ID Range For Limit
We want to specify limit some users. But they are not in a user group and we do not want or can create groups for these groups. Specifying limits one by one is a problem. We can specify multiple users like below. But the restriction is that we will specify the range.
1000:1010 hard rss 10000
The rule above will be applied to the users those User ID’s are between 1000 and 1010 . The : operator used to specify the range.
Specify Group ID Range For Limit
The similar definition like previous user range is group range. We will specify group ID range like below.
@500:510 hard rss 10000
In this example, the rules will be applied for the group ID between 500 and 510. We use @ operator to specify ID’s as a group and : for range.
Limit Number of Process
Now we will start to look at different item types to use. There are more items than described here but these are the most popular ones. The first example is limiting the number of processes for a user.
ismail hard nproc 20
In the example, we limit the process number with nproc item. The user the rule will apply is ismail and the maximum number of the process for this user can own is 20
Limit CPU Time
Another useful item to limit is CPU time. We can set limits about the CPU time .
ismail soft cpu 10000
In this example we applied maximum 10000 cycles for user ismail by using cpu item.
Limit Number Of Open File
We can limit the numbers of files a user can open in time. This can be useful to prevent disk bottlenecks if the system has a lot of users those access files.
ismail hard nofile 512
In this example we specify that the user ismail can only open 512 files or file descriptors with nofile item.
Limit Number Of Logins
By default, a user can have infinite numbers of connections, sessions, or logins in a system. This may create some security or performance problems for the systems. We can set some limits on this.
@student - maxlogins 4
In these examples, we limit the student group’s user’s login count. We use maxlogins for each user in the student group. The maximum number of login can not be more than 4 .
Limit Number Of System Logins
In the previous example, we have restricted maximum logins as a user base. we can also specify the total number of logins in system-wide. This restriction will be effective in a general manner.
* - maxsyslogins 40
In this example, we restrict all users and groups but actually, this is not a user or group based restriction. We set this rule system-wide and use maxsyslogin item as 40
Limit Maximum File Size
We may want to restrict file size. This restriction can be useful in temp or similar usage type files.
@student - fsize 4000000
In this example, we limit the student’s single file size as 4000000 . This is a presentation of KB or kilobyte. So the example means 4 GB . We use fsize as item type.
1 thought on “limits.conf File To Limit Users, Process In Linux With Examples”