KBTAG: kben10000008
URL: http://www.securityportal.com/lskb/10000000/kben10000008.html
Date created: 13/03/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Using PAM to limit users access to
computer resources
Keywords: PAM, Users/PAM
Most Linux systems now support PAM (Pluggable Authentication Modules). PAM is used to authenticate users, and can also be used to modify their system access/etc. You can place limits on CPU usage, memory usage, etc, the benefits of using PAM to do this over specific shell restrictions is that it applies to all shells, and you can set it by individuals and groups, as well as defaults (which can be done for individual shells but is trickier).
Simply add the line (change the path to pam_limits.so as necessary):
session required /lib/security/pam_limits.so
to the configuration file for any interactive login program (such as telnet or sshd). You can then use /etc/security/limits.conf to modify settings. The format is:
<domain> <type> <item> <value>
Where: <domain> can be: - an user name - a group name, with @group syntax - the wildcard *, for default entry
<type> can have the two values: - "soft" for enforcing the soft limits - "hard" for enforcing hard limits
<item> can be one of the following: - core - limits the core file size (KB) - data - max data size (KB) - fsize - maximum filesize (KB) - memlock - max locked-in-memory address space (KB) - nofile - max number of open files - rss - max resident set size (KB) - stack - max stack size (KB) - cpu - max CPU time (MIN) - nproc - max number of processes - as - address space limit - maxlogins - max number of logins for this user - priority - the priority to run user process with
So for example you can deny core files to everyone with the simple addition of:
* soft core 0
You could also create a group called "student", add all the students to it and then restrict their maximum number of logins to 4:
@student - maxlogins 4
see "man pam_console", "man console.perms", and ""man pam_xauth".