limits File

Purpose

Defines process resource limits for users.

Description

Note: Changing the limit does not affect those processes that were started by init. Alternatively, ulimits are only used by those processes that go through the login processes.

The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.

Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values.

If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:

Resource	Hard Value
Core Size	`unlimited`
CPU Time	`cpu`
Data Size	`unlimited`
File Size	`fsize`
Memory Size	`unlimited`
Stack Size	`4194304`
File Descriptors	`unlimited`
Threads	`unlimited`
Processes	`unlimited`

Note: Use a value of -1 to set a resource to unlimited.

If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.

You can set the following limits on a user:

Limit	Description
fsize	Identifies the soft limit for the largest file a user's process can create or extend.
core	Specifies the soft limit for the largest core file a user's process can create.
cpu	Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data	Identifies the soft limit for the largest process data segment for a user's process.
stack	Specifies the soft limit for the largest process stack segment for a user's process.
rss	Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
nofiles	Sets the soft limit for the number of file descriptors a user process may have open at one time.
threads	Sets the soft limit for the number of threads per process.
nproc	Sets the soft limit for the number of processes per user.
core_hard	Specifies the largest core file a user's process can create.
cpu_hard	Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard	Identifies the largest process data segment for a user's process.
fsize_hard	Identifies the largest file a user's process can create or extend.
rss_hard	Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard	Specifies the largest process stack segment for a user's process.
nofiles_hard	Sets the hard limit for the number of file descriptors a user process may have open at one time.
threads_hard	Sets the hard limit for the number of threads per process.
nproc_hard	Sets the hard limit for the number of processes per user.

Except for the cpu, nofiles, threads, and nproc attributes, each attribute must be a decimal integer string that represents the number of 512-byte blocks allotted to a user. This decimal integer represents a 32-bit value and can have a maximum value of 2147483647. The cpu and nofiles attributes represent the maximum number of seconds of system time that a user's process can use, and the maximum number of files a user's process can have open at one time. The threads attribute represents the maximum number of threads each process can create. The nproc attribute represents the maximum number of processes each user can create. For an example of a limits stanza, see the "Examples" section .

When you create a user with the mkuser command, the system adds a stanza for the user to the limits file. Once the stanza exists, you can use the chuser command to change the user's limits. To display the current limits for a user, use the lsuser command. To remove users and their stanzas, use the rmuser command.

Note: Access to the user database files should be through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access only to the root user. Access for other users and groups depends upon the security policy for the system.

Auditing Events:

Event	Information
S_LIMITS_WRITE	file name

Examples

A typical record looks like the following example for user dhs:

dhs:
   fsize = 8192
   core = 4096
   cpu = 3600
   data = 1272
   stack = 1024
   rss = 1024
   nofiles = 2000
   threads = -1
   nproc = -1

Files

Item	Description
/etc/security/limits	Specifies the path to the file.
/etc/group	Contains the basic group attributes.
/etc/security/group	Contains the extended attributes of groups.
/etc/passwd	Contains the basic user attributes.
/etc/security/passwd	Contains password information.
/etc/security/user	Contains the extended attributes of users.
/etc/security/environ	Contains the environment attributes of users.
/etc/security/audit/config	Contains audit-system configuration information.
/usr/lib/security/mkuser.default	Contains the default values for user accounts.
/etc/security/lastlog	Contains last login information.