ulimit - Security

This is a discussion on ulimit - Security ; How can I (being root) prevent other users from changing their ulimit? I know this is possible in UNIX, but I'm not sure about Linux (i.e. Slackware, SUSE). By the way, how would I do it in UNIX? (i.e. Solaris, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: ulimit

  1. ulimit

    How can I (being root) prevent other users from changing their ulimit?
    I know this is possible in UNIX, but I'm not sure about Linux (i.e.
    Slackware, SUSE). By the way, how would I do it in UNIX? (i.e.
    Solaris, Darwin, or FreeBSD)


  2. Re: ulimit

    Steven Borrelli wrote:

    > How can I (being root) prevent other users from changing their ulimit?
    > I know this is possible in UNIX, but I'm not sure about Linux ....


    You can't prevent them from changing the limits; you can only impose a
    "cap" (a hard limit) on how much of the system resources any user can use.
    A user process can still change (lower, for example) its own limits.

    *How* you do this, be it on a commercial Unix system, Linux of whatever
    flavour, or a *BSD system, seems to me to be implementation specific.
    See the "limits" manual page on Slackware (and other, perhaps?) Linux
    systems for an example of one possibility.

    I hope this helps ...

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  3. Re: ulimit

    On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1194494735.248243.325540@d55g2000hsg.googlegroups. com>, Steven Borrelli wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    And please don't post the same question to multiple newsgroups.

    >How can I (being root) prevent other users from changing their ulimit?


    You can't. They can _reduce_ their limits, or increase them up to
    the limits you set, but it's not easy to prevent anyone from changing
    them below those maximum limits.

    >I know this is possible in UNIX, but I'm not sure about Linux (i.e.
    >Slackware, SUSE). By the way, how would I do it in UNIX? (i.e.
    >Solaris, Darwin, or FreeBSD)


    It's a _shell_ function, not an O/S. You're probably running a Bourne
    type shell (sh, bash, ksh, or similar), and for that the built-in
    command is 'ulimit'. For a 'c' type shell (csh, tcsh, and similar),
    the command is 'limit'.

    Limits are set in a login shell - so if you are using a text based
    login and a Bourne shell, use /etc/profile. If using a 'csh' shell,
    use ~/.login in the users home directory. If using a 'tcsh' shell,
    see the man page, as things vary as a function of how the shell is
    compiled. For a _GUI_ login (runlevel 5 in an Linux Standard Base
    compliant distribution)[1], you need to look at the man page for the
    display manager used (gdm, kdm, wdm, xdm, etc.) as they usually
    do NOT use a shell as the place to set things - .xinitrc, .xsession,
    or similar - often in the user's home directory. For those files
    that set the limits but are located _in_ the user's home directory,
    you need to change ownership of that/those files to root:root, and
    set the 'sticky bit' on the directory itself (chmod 1750 /home/mumble)
    so that only the file _owner_ can delete the file.

    Bottom line - see the man page for the shell used, and read the
    sections about limits and shell invocation.

    Old guy

    [1] Mandriva 2008 is an exception. The GUI login shell scripts source
    ~/.bash_profile - which isn't much good in a 'csh' environment, but is
    a start.

  4. Re: ulimit

    Steven Borrelli wrote:
    > How can I (being root) prevent other users from changing their ulimit?
    > I know this is possible in UNIX, but I'm not sure about Linux (i.e.
    > Slackware, SUSE). By the way, how would I do it in UNIX? (i.e.
    > Solaris, Darwin, or FreeBSD)


    For Linux
    man limits.conf

    limits.conf lives in /etc/security usually.
    It applies (or could apply, depending on configuration) to any user.
    It's not dependent on shell. You can use the shell ulimit command to
    change soft limits, like a previous poster said, but hard limits are
    absolute maximums.

+ Reply to Thread