ulim, version 1.1 ~~~~~~~~~~~~~~~~~ by Andrzej Szombierski Ulim is is a linux kernel module which enforces resource limits on every process in the system. Yes, there are already solutions like pam_limit, but there are some places where the user can execute his programs, but PAM is not used (for example .forward/.procmailrc files, or cgi scripts). Ulim works in the kernel and sets the limits whenever a process changes its real uid, so every process run by a user will have the correct limits. From version 1.1 ulim also allows you to choose initial nice value. 0. Legal stuff ~~~~~~~~~~~~~~ ulim is GPLed and comes with absolutely no warranty, for details see COPYING. 1. Compiling ~~~~~~~~~~~~ make, then make install as root. This creates /usr/local/sbin/limctl, some symlinks and /dev/limctl. ulim was successfully compiled under linux-2.4.* and should work under linux-2.2.* (tell me if i'm wrong). 2. Usage ~~~~~~~~ ulim is configured from the userspace by lclear, ldel, ldump, llist, lreload, lset and lshow (these are all symlinks to limctl). You can define default limits (applied to all users but root) and per-user limits. And now a short description: llist - lists all per-user limits lshow [users] - shows the default limits (if called without arguments), or the limits defined for the supplied users lset [users] [limit definitions] - sets the default limits (if called without arguments) or per-user limits. The syntax of [limit definitions] is: [limit name] [value] [limit name2] [value2] ... Limit names are described in the example 'limits' file. ldel [users] - deletes per-user limits. ldump - dumps all limits to stdout. The format is readable by lreload lreload - reads limits from a configuration file (useful in boot scripts). the format of the configuration file is described in the example configuration file lclear - resets all per-user limits and sets default limits to 'unlimited' User list is a colon-separated list of users/uids/groups, for example: me,you,@agroup (note that there are no spaces) You may specify who can read/write ulim configuration by setting the permission bits on /dev/limctl. 4. Known bugs ~~~~~~~~~~~~~ * ulim doesn't do any locking when managing its configuration, so it is theoretically possible to do some Bad Things (R) by running many limctls simulatenously (more probable on a SMP machine). * ulim wastes memory by using linked lists for storing configuration. * the maximum number of processes is checked on fork(), and not on setuid(), so it is possible to overcome this limit (because for example login executes fork() as root, so without limits, and then setuid()). This is not strictly a bug in ulim, just a kernel design issue. Bug reports and great ideas are appreciated.