Re: enforcing resource limits
On Sun, Apr 21, 2002 at 11:44:25AM +1000, Ian Cumming wrote:
> Anyway, if anyone is using limits.conf, could you please post your
> configuration with perhaps a little comment describing why you have
> chosen certain values, etc..
When I have set up limits, it's been to prevent runaway processes (like
netscape... *ugh*) from eating up all the memory, triggering the kernel's
kill-something-and-take-its-memory behaviour. It's not good when you leave
netscape running and come back to find that sshd, inetd, and maybe init have
been killed off...
For this purpose, I use soft limits set in /etc/profile. Limiting virtual
memory for any single process to a bit less than the amount of RAM in the
machine works for me. If you want to run something that actually needs to
more memory than you have RAM, you can bump up the limit, but it's rare for
something to want more than you have RAM, but less than you have total. By
cutting it off with RAM to spare, you stop the process from swapping out
everything else and thrashing the system while you try to kill it.
BTW, it would be nice if you could set the locked memory limit to a few
pages, then allow any process to lock memory, not just root. A few pages
per proc * max procs isn't too bad, and it would allow gpg and other
security software to get a locked page without having to suid root.
>
> Perhaps this information could be summarised and put into the security
> HOWTO?
Anyone who wants to do so can use my advice as given above verbatim or
otherwise.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: