limits File

Purpose

Defines process resource limits for users.

Description

Note: Changing the limit does not affect those processes that were started by init. Alternatively, ulimits are only used by those processes that go through the login processes.

The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.

Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values.

If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:

Resource Hard Value
Core Size unlimited
CPU Time cpu
Data Size unlimited
File Size fsize
Memory Size unlimited
Stack Size 4194304
File Descriptors unlimited
Threads unlimited
Processes unlimited
Note: Use a value of -1 to set a resource to unlimited.

If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.

You can set the following limits on a user:

Limit Description
fsize Identifies the soft limit for the largest file a user's process can create or extend.
core Specifies the soft limit for the largest core file a user's process can create.
cpu Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data Identifies the soft limit for the largest process data segment for a user's process.
stack Specifies the soft limit for the largest process stack segment for a user's process.
rss Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
nofiles Sets the soft limit for the number of file descriptors a user process may have open at one time.
threads Sets the soft limit for the number of threads per process.
nproc Sets the soft limit for the number of processes per user.
core_hard Specifies the largest core file a user's process can create.
cpu_hard Sets the largest amount of system unit time (in seconds) that a user's process can use.
data_hard Identifies the largest process data segment for a user's process.
fsize_hard Identifies the largest file a user's process can create or extend.
rss_hard Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
stack_hard Specifies the largest process stack segment for a user's process.
nofiles_hard Sets the hard limit for the number of file descriptors a user process may have open at one time.
threads_hard Sets the hard limit for the number of threads per process.
nproc_hard Sets the hard limit for the number of processes per user.

Except for the cpu, nofiles, threads, and nproc attributes, each attribute must be a decimal integer string that represents the number of 512-byte blocks allotted to a user. This decimal integer represents a 32-bit value and can have a maximum value of 2147483647. The cpu and nofiles attributes represent the maximum number of seconds of system time that a user's process can use, and the maximum number of files a user's process can have open at one time. The threads attribute represents the maximum number of threads each process can create. The nproc attribute represents the maximum number of processes each user can create. For an example of a limits stanza, see the "Examples" section .

When you create a user with the mkuser command, the system adds a stanza for the user to the limits file. Once the stanza exists, you can use the chuser command to change the user's limits. To display the current limits for a user, use the lsuser command. To remove users and their stanzas, use the rmuser command.
Note: Access to the user database files should be through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access only to the root user. Access for other users and groups depends upon the security policy for the system.

Auditing Events:

Event Information
S_LIMITS_WRITE file name

Examples

A typical record looks like the following example for user dhs:

dhs:
   fsize = 8192
   core = 4096
   cpu = 3600
   data = 1272
   stack = 1024
   rss = 1024
   nofiles = 2000
   threads = -1
   nproc = -1

Files

Item Description
/etc/security/limits Specifies the path to the file.
/etc/group Contains the basic group attributes.
/etc/security/group Contains the extended attributes of groups.
/etc/passwd Contains the basic user attributes.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/audit/config Contains audit-system configuration information.
/usr/lib/security/mkuser.default Contains the default values for user accounts.
/etc/security/lastlog Contains last login information.