Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Setting resource limits for all users

Someone asked about ways to do this not too long ago...  I don't
remember who it was.  This message on bugtraq described a couple of
interesting ways to do it.  I thought I'd share it with you all.

FYI, this issue arose because someone pointed out that if you use ssh
to start a command directly, rather than just logging in so that a pty
is allocated, sshd does not call pam_session_start(), which presents a
few problems.  For example, on my own systems,  I ran this:

  [ddm at sol ddm]
  $ ssh mail w
   16:56:43 up 27 days, 18:29,  0 users,  load average: 0.00, 0.00, 0.00
  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
  [ddm at sol ddm]

Note that it doesn't show me logged in, and obviously therefore
doesn't show what I'm running.  It also doesn't set per-process
limits, if you're using to control that.  It also does
not update utmp.

As the poster points out, you can start a shell on the remote host
with all these features, by simply running something like this:

  ssh remotehost /bin/sh

It works strangely, but it does work.  Anyway, see below for some
ulimit tips.  :)

----- Forwarded message from Jim Breton <jamesb-bugtraq at> -----

On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
> This is espacially anoying if you
> use to set rlimits. Every user could
> cirrcumvent them easily by calling ssh in this way:
> ssh user at server /bin/sh

True.  Fwiw you can work around this by putting ulimit calls in your 
sshd invocation script.  For example:


ulimit -d <#>
ulimit -f <#>
ulimit -l <#>
ulimit -m <#>
ulimit -n <#>
ulimit -s <#>


Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:

       When  the  shell  script  /etc/initscript is present, init
       will use it to execute the commands  from  inittab.   This
       script  can  be  used  to set things like ulimit and umask
       default values for every process.

which is a good "safety net" for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..

I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.

P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.

----- End forwarded message -----

Derek Martin          |   Unix/Linux geek
ddm at    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at

Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at (Subject line is ignored).

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /