limits in /etc/passwd, and maybe a bug in processing /etc/limits? :)
OK. As a continuation of my previous ramblings on resource limits, I'm running into two more similar issues on my slink machine. According to /etc/login.defs, I should be able to employ resource limits by editing users' passwd entries. I have QUOTAS_ENAB in login.defs: # Enable setting of ulimit, umask, and niceness from passwd gecos field. # QUOTAS_ENAB yes If I look at man 5 passwd, I see the following: The comment field is used by various system utilities, such as finger(1). Three additional values may be present in the comment field. They are pri= - set initial value of nice umask= - set initial value of umask ulimit= - set initial value of ulimit These fields are separated from each other and from any other comment field by a comma. I tried to set the umask to 022 this way with a test account, and I can't get it to do anything at all. I have tried adding extra comment entries by adding commas in /etc/passwd, and I've also tried using the pre-existing comment entries. None of it works. I end up with the default umask of 002 no matter what... and yes I have commented-out the umask field in /etc/profile, and there is none in the test user's .bash_profile, .profile, and .bashrc. :) Anyone know the right way to do it? My second problem... well, it looks like it may be a bug. Note the following text in /etc/limits: # Valid flags are: # A: max address space (KB) # C: max core file size (KB) # D: max data size (KB) ... and so on. But any time I use the A limit, the whole line becomes useless. See the following in man 5 limits: A invalid limits string will be rejected (not considered) by the login program. If I take out the A limit, the rest of the line functions again. So there seems to be some kind of problem reading or enforcing this limit. So a line like this: * L2 D12288 M32768 R2048 S2048 U64 N256 F16384 T60 C0 works fine. But one like this: * A32768 L2 D12288 M32768 R2048 S2048 U64 N256 F16384 T60 C0 breaks the whole line and NO limits are enforced. Is this a bug or am I doing something wrong (again)? :)
Re: /etc/limits
On 10/1/2000 Jim B wrote: Then (in /etc/limits) I set no limits on my own accounts: user - I would actually want to keep at least some of the limits on my own account as well, just to prevent a runaway process from causing problems, that is why i am interested in limits so reasonable no one would likely ever notice. (while still protecting against system from becoming crippled) Also: I still don't know of any way to set the Virtual Mem usage of a shell without using ulimit (bash) or limit (csh)! Note that it does not appear to be an option in /etc/limits or in pam's limits.conf. Anyone know how to do it? There must be a way. ulimit does not really protect at all against someone malicious since they are perfectly free to un-ulimit themselves, this is where pam_limits is helpful, it enforces the hard limit and it cannot be ulimited past that. -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Re: /etc/limits
On Mon, 10 Jan 2000, Ethan Benson wrote: ulimit does not really protect at all against someone malicious since they are perfectly free to un-ulimit themselves, this is where pam_limits is helpful, it enforces the hard limit and it cannot be ulimited past that. Hmmm. How would a user unlimit himself without changing his shell? If he stays in a single bash or csh shell, I don't know how he could do that. $ ulimit -v unlimited $ ulimit -v 32767 $ ulimit -v 32767 $ ulimit -v 32768 bash: ulimit: cannot modify limit: Operation not permitted OTOH if you're talking about someone who switches his shell to get around the limits, that's my whole point. I need to know how to set shell-independent limits. Yes you can do that with PAM, but I still don't see a PAM limit on virtual memory. Is there one there?
Re: /etc/limits
On 10/1/2000 Jim B wrote: $ ulimit -v unlimited $ ulimit -v 32767 $ ulimit -v 32767 $ ulimit -v 32768 bash: ulimit: cannot modify limit: Operation not permitted OTOH if you're talking about someone who switches his shell to get around the limits, that's my whole point. I need to know how to set shell-independent limits. Yes you can do that with PAM, but I still don't see a PAM limit on virtual memory. Is there one there? oh, i see some limits are enforced once set, I tried a few other limits and the user can set and unset them at will. correction noted :) -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Re: /etc/limits
* Ethan Benson said: Also: I still don't know of any way to set the Virtual Mem usage of a shell without using ulimit (bash) or limit (csh)! Note that it does not appear to be an option in /etc/limits or in pam's limits.conf. Anyone know how to do it? There must be a way. ulimit does not really protect at all against someone malicious since they are perfectly free to un-ulimit themselves, this is where pam_limits is helpful, it enforces the hard limit and it cannot be ulimited past that. Not only pam_limits is useful. You can use the capabilities of the shadow package to put the ULIMIT system value in the user's entry in the passwd/shadow database. marek pgpJDVkItpcDt.pgp Description: PGP signature
Re: /etc/limits
* Jim B said: On Mon, 10 Jan 2000, Ethan Benson wrote: ulimit does not really protect at all against someone malicious since they are perfectly free to un-ulimit themselves, this is where pam_limits is helpful, it enforces the hard limit and it cannot be ulimited past that. Hmmm. How would a user unlimit himself without changing his shell? If he stays in a single bash or csh shell, I don't know how he could do that. He can't, true. But shell-based limits aren't particularily good way of setting limits. They are by definition bound to one kind of shell - csh or bash or whatever. In case you, or the user, decideds to change his shell, you loose all the limits. PAM and/or shadow utilities (or lshell) are much better. [snip] OTOH if you're talking about someone who switches his shell to get around the limits, that's my whole point. I need to know how to set shell-independent limits. Yes you can do that with PAM, but I still don't see a PAM limit on virtual memory. Is there one there? Compute the ULIMIT value and put it in the commen't field of the user's record in the password database (ulimit=ULIMIT_VALUE). Then the login process will set the limits regardless of the shell. And if you worry about the user changing shell during the session - don't. The child process whether spawned or executed, will inherit the limits from its parent. marek pgpobnffszbRZ.pgp Description: PGP signature
Re: /etc/limits
On Tue, 11 Jan 2000, Marek Habersack wrote: He can't, true. But shell-based limits aren't particularily good way of setting limits. They are by definition bound to one kind of shell - csh or bash or whatever. In case you, or the user, decideds to change his shell, you loose all the limits. PAM and/or shadow utilities (or lshell) are much better. Correct. But this is the crux of this whole thread. I don't see any way, *other than* shell limits, of setting max Virtual Memory usage. The other resources yes, VMem no
Re: /etc/limits
* Jim B said: On Tue, 11 Jan 2000, Marek Habersack wrote: He can't, true. But shell-based limits aren't particularily good way of setting limits. They are by definition bound to one kind of shell - csh or bash or whatever. In case you, or the user, decideds to change his shell, you loose all the limits. PAM and/or shadow utilities (or lshell) are much better. Correct. But this is the crux of this whole thread. I don't see any way, *other than* shell limits, of setting max Virtual Memory usage. The other resources yes, VMem no And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters? They all give you fine-grained control over the user's memory. marek pgpkS8gsSzPfY.pgp Description: PGP signature
Re: /etc/limits
On Tue, 11 Jan 2000, Marek Habersack wrote: And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters? They all give you fine-grained control over the user's memory. OK, you're right. I had tried some of the PAM limits previously (one at a time) and none of them alone was sufficient to restrict an account's memory usage from devouring the machine using a particular exploit I'd gotten hold of. At the same time, restricting the user's virtual memory (ulimit -v) was able to stop the exploit, while none of the other ulimit options did. Therefore I thought I was unable to limit the max vmem using PAM. Thank you for pointing out to me that I can. :) One last thing... the original question also was, how do slackware and RedHat set the max vmem usage without using ulimit, /etc/limits, or PAM? Would you happen to know this off-hand? I thought maybe it was compiled into the login binary but I downloaded the source and their patches and didn't see any reference to it. Friends of mine have a slack 7 and an RH6 box, RH has PAM enabled but no limits configured, while the slackware machine has no /etc/limits, /etc/pam.d, or /etc/security. Yet when I log in, my virtual memory limit is set to 2105343 KB. Is that something imposed by the kernel due to its maximum address space? My kernel (2.2.14) is compiled the same way AFAICT yet my vmem limit is unlimited unless I set it using one of the aforementioned methods. Thanks again.
Re: /etc/limits
* Jim B said: On Tue, 11 Jan 2000, Marek Habersack wrote: And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters? They all give you fine-grained control over the user's memory. OK, you're right. I had tried some of the PAM limits previously (one at a time) and none of them alone was sufficient to restrict an account's memory usage from devouring the machine using a particular exploit I'd gotten hold of. At the same time, restricting the user's virtual memory The 'virtual memory' is a quite broad term as you can see : (ulimit -v) was able to stop the exploit, while none of the other ulimit options did. Therefore I thought I was unable to limit the max vmem using PAM. Thank you for pointing out to me that I can. :) My pleasure :) One last thing... the original question also was, how do slackware and RedHat set the max vmem usage without using ulimit, /etc/limits, or PAM? Would you happen to know this off-hand? I thought maybe it was compiled into the login binary but I downloaded the source and their patches and didn't see any reference to it. Friends of mine have a slack 7 and an RH6 box, RH has PAM enabled but no limits configured, while the slackware machine has no /etc/limits, /etc/pam.d, or /etc/security. Yet when I log in, my virtual memory limit is set to 2105343 KB. Is that something From a quick look, it's in the bash shell for those distributions. When I changed my shell on one RH 6.1 server I got unlimited memory. marek pgp3ovjkk7d8V.pgp Description: PGP signature
Re: /etc/limits
At 06:34 PM 1/9/00 -0500, Jim B wrote: OK another issue I'm having with setting resource limits. How can I [snip] I look in my /etc/limits and see a way to restrict just about all those [snip] Where can I find more info on /etc/limits ? Regards, Onno
Re: /etc/limits
Should be in your limits man page. If you're running potato then you'd probably want to use PAM and /etc/security/limits.conf instead. Look at the files themselves to see how they are set up. On Mon, 10 Jan 2000, Onno Ebbinge wrote: At 06:34 PM 1/9/00 -0500, Jim B wrote: OK another issue I'm having with setting resource limits. How can I [snip] I look in my /etc/limits and see a way to restrict just about all those [snip] Where can I find more info on /etc/limits ? Regards, Onno
Re: /etc/limits
On 10/1/2000 Jim B wrote: If you're running potato then you'd probably want to use PAM and /etc/security/limits.conf instead. Look at the files themselves to see how they are set up. I have figured out how to set these limits up well enough, but I have a related question, how can i set reasonable limits? what I mean is how can i set reasonable limits for a user that they will never even notice are there unless 1) they are intentionally trying to crash the machine or 2) unintentionally have a process go out of control. sort of analogous to the 5% limit on ext2fs reserved for root. -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
Re: /etc/limits
Subject: Re: /etc/limits Date: Mon, Jan 10, 2000 at 07:26:19AM +0100 In reply to:Onno Ebbinge Quoting Onno Ebbinge([EMAIL PROTECTED]): | At 06:34 PM 1/9/00 -0500, Jim B wrote: | OK another issue I'm having with setting resource limits. How can I | [snip] | I look in my /etc/limits and see a way to restrict just about all those | [snip] | | Where can I find more info on /etc/limits ? | apropos limits ? -- Nobody said computers were going to be polite. ___
Re: /etc/limits
I asked myself the same question, so I logged into my shell account at a local ISP and took a look at what they use on their FreeBSD machine with 512 MB of RAM: core file size (blocks) unlimited data seg size (kbytes) 22528 file size (blocks) unlimited max locked memory (kbytes) 10240 max memory size (kbytes)30720 open files 64 pipe size (512 bytes) 1 stack size (kbytes) 8192 cpu time (seconds) unlimited max user processes 64 virtual memory (kbytes) 30720 On my machine (96 MB) I am using something between the optional default in /etc/limits, and what I found from the aforementioned machine. The defaults in /etc/limits are: #* L2 D6144 R2048 S2048 U32 N32 F16384 T5 C0 However I set the max CPU time to 60 minutes (T60) and max open files to 64 (N64). I figured that any process spawned by a shell that burned up 60 mins of CPU time (note that CPU time does not accumulate while a process is idle) might be up to no good, but that's on my machine where I only have a few remote users, and an occasional console user, playing around with things. On a true full-time multi-user machine you may want to increase this slightly. I also set (in /etc/profile): ulimit -v 32768 which is apparently more than enough to run X and Netscape (4.6). I originally had tried about 16 MB and X started but Netscape would segfault. Then (in /etc/limits) I set no limits on my own accounts: user - As I only started experimenting with this yesterday, don't take any of my setup without some judgment. :) I'm probably making some unreasonable choices which I will have to fine-tune over time. But they seem to have been decent preliminary defaults. Also: I still don't know of any way to set the Virtual Mem usage of a shell without using ulimit (bash) or limit (csh)! Note that it does not appear to be an option in /etc/limits or in pam's limits.conf. Anyone know how to do it? There must be a way. On Mon, 10 Jan 2000, Ethan Benson wrote: I have figured out how to set these limits up well enough, but I have a related question, how can i set reasonable limits? what I mean is how can i set reasonable limits for a user that they will never even notice are there unless 1) they are intentionally trying to crash the machine or 2) unintentionally have a process go out of control. sort of analogous to the 5% limit on ext2fs reserved for root. -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
/etc/limits
OK another issue I'm having with setting resource limits. How can I restrict a user's max virtual memory usage? Not sure if anyone else has seen it, but there's a DoS exploit around (which will actually eat up just about any *nix box AFAICT, if there are no resource limits in effect) which eats up virtual memory. I've noticed that on my friends' slackware 7 and RedHat 6.0 machines, the default resource limits are basically the same as on my slink box *except* they have the virtual memory max at 2105343 while the Debian machine is set to unlimited. Yet, I can't figure out how those distros set the limits. Is it a compile-time option for /bin/login? I look in my /etc/limits and see a way to restrict just about all those resources *except* max virtual memory. How can I enforce this restriction? I know I could use limit in csh and ulimit in bash, but what about for shells that don't have built-in restrictions? Is there any way to do this other than force everyone to use one of those shells?
slink bug(?): /etc/limits permissions
Hi all, please see this excerpt from the man page for /etc/limits: LIMITS(5) LIMITS(5) NAME limits - Resource limits definition DESCRIPTION The limits file (/etc/limits by default or LIMITS_FILE defined config.h) describes the resource limits you wish to impose. It should be owned by root and readable by root account only. However, the current permissions on this file are NOT in accordance with the recommendation in the manual pages: ls -l /etc/limits: -rw-r--r-- 1 root root 725 Jul 17 1998 /etc/limits I have not modified this file or its permissions, and Linux was not on this machine on July 1998. :) Isn't this a distribution bug? (FWIW, the same condition exists on my friend's potato machine.)