pam_limits

This module is configured within PAM service files (e.g., /etc/pam.d/login, /etc/pam.d/sshd), typically as a session type module. Its basic usage is:

session required pam_limits.so [debug] [conf=PATH] [noaudit]

debug
    Prints debugging information to syslog, which can be useful for troubleshooting limit application issues.

conf=PATH
    Specifies an alternative path to the limits configuration file, overriding the default /etc/security/limits.conf and files in /etc/security/limits.d/.

noaudit
    Suppresses audit messages generated by the module. By default, pam_limits may log audit messages about limit application.

pam_limits is a PAM (Pluggable Authentication Modules) session module that applies resource limits for users during session establishment. These limits are defined in the /etc/security/limits.conf file and files within the /etc/security/limits.d/ directory. It allows administrators to control various system resources, such as the maximum number of open files, CPU time, memory usage, number of processes, and more, for individual users or groups.

The module is typically configured in PAM service files (e.g., /etc/pam.d/login, /etc/pam.d/sshd) under the session stack. Upon a user's successful login, pam_limits reads the configured limits and applies them to the new session, enforcing resource management and preventing a single user or process from consuming excessive system resources.

Configuration File Format: The module relies heavily on the correct format of /etc/security/limits.conf and its included files. Incorrect entries can lead to unexpected behavior, ignored limits, or even failed logins if not handled carefully.

Order in PAM Stack: For the module to function correctly, it must be placed in the session stack of PAM service files. Its position relative to other modules might be important; it's generally best to place it early in the session stack to ensure limits are applied before other session-specific setups.

Hard vs. Soft Limits: pam_limits sets both soft and hard limits. Soft limits are the actual limits applied, which a user can increase (within their session) up to the hard limit. Hard limits are maximums that can only be increased by a privileged process (e.g., root). Users cannot set their soft limits higher than the hard limits.

Root User: Limits for the root user are often `unlimited` by default or are intentionally ignored to prevent system instability. Applying strict limits to root can lead to unintended consequences.

No Dynamic Changes: Limits are applied at session creation. Changes to /etc/security/limits.conf or its related files do not affect already running sessions; users must log out and log back in for new limits to take effect.

The primary configuration file for pam_limits is /etc/security/limits.conf, which can also include files from the /etc/security/limits.d/ directory. Each significant line in these files typically follows the format:

# <domain> <type> <item> <value>

• <domain>: Specifies the user, group, or wildcard the limit applies to. Examples include a specific username (john), a group name prefixed with `@` (@developers), or a wildcard for all users/groups (*).
• <type>: Defines whether the limit is a soft (soft) limit, a hard (hard) limit, or applies to both (-).
• <item>: The specific resource to be limited (e.g., nofile for the maximum number of open files, nproc for the maximum number of processes, cpu for CPU time).
• <value>: The numerical limit for the resource or the keyword unlimited for no restriction.

The <item> field in limits.conf can specify various system resources to be limited. Common items include:

• core: Maximum size of core files (in kilobytes).
• data: Maximum data segment size (in kilobytes).
• fsize: Maximum file size (in kilobytes) that can be created.
• memlock: Maximum locked-in-memory address space (in kilobytes).
• nofile: Maximum number of open file descriptors.
• nproc: Maximum number of processes that can be created by the user.
• rss: Maximum resident set size (in kilobytes).
• stack: Maximum stack size (in kilobytes).
• cpu: Maximum CPU time (in minutes).
• rtprio: Maximum real-time priority for processes.
• msgqueue: Maximum POSIX message queue size (in bytes).
• nice: Maximum nice priority allowed to raise (a negative value indicates a higher priority).
• sigpending: Maximum number of pending signals.
• locks: Maximum number of file locks held.

pam_limits has been a fundamental and long-standing module in Linux-PAM since its early development. It provides a standard and flexible way to enforce system-wide resource management policies, evolving alongside the PAM framework itself to integrate seamlessly into modern Linux environments. Its core purpose – applying user-defined resource limits at the time of session establishment – has remained consistent throughout its history.

limits.conf(5): The manual page describing the format and usage of the system resource limits configuration file., pam(8): The main manual page providing an overview of Pluggable Authentication Modules., ulimit(1): A shell builtin command used to get or set resource limits for the current shell environment and its child processes., getrlimit(2), setrlimit(2): System calls used internally by pam_limits and other applications to manage resource limits.