Free Software Stuff

Ulimits - User limits utility

Ulimits is a program to allow an user to enforce the resource limits set forth by the administrator of a GNU/Linux system. Its main purpose is to overcome the absence of PAM on some distributions.

Purpose and rationale

On distributions that provide Linux-PAM (that is, most distributions), resource limits are usually set in a /etc/security/limits.conf file, and a PAM module makes sure these limits are applied each time an user logs in. On such systems, ulimits has probably no use; ulimits should only be needed on systems without PAM, such as Slackware.

On Slackware, resource limits can be specified in the /etc/limits file, as described in limits(5). However, it seems that the only program that cares about that file is /bin/login. In particular, graphical login managers (xdm, kdm, gdm) ignore the /etc/limits file. It means that resource limits defined in that file are only set when the user logs in through a text console.

ulimits is a small program to be installed as setuid root. It reads the contents of the /etc/limits file, gets the resource limits for the calling user, and applies them to the calling process.

Usage

The intended usage of ulimits is to be called from the user’s .xsession script, before exec’ing the window manager:

#!/bin/sh

# Normal contents of a .xsession script
# ...

# Apply resource limits defined in /etc/limits
ulimits

# Start the window manager
exec /usr/bin/awesome

Limits will be set for the process that calls ulimits, that is, the shell running the .xsession script; the window manager will then inherit the limits through the exec call, and they will be propagated to all programs launched from the window manager.

Alternatively, ulimits may be called with non-option arguments; in that case, it will set the resource limits for its own process, then try to execute the program specified as the first argument. It means the last two lines of the above script could be replaced by a single one:

# Apply resource limits and start the window manager
ulimits /usr/bin/awesome

This “exec mode” is the only available mode on systems which do not provide the prlimit(2) system call (non-Linux systems or Linux prior to 2.6.36).

About the --enable-merged-limits option

The default behavior of ulimits when interpreting the /etc/limits file mimics the behavor of /bin/login, in the sense that only one line is ever considered, even if several lines could apply to the calling user.

The configure-time option --enable-merged-limits, introduced in version 0.3.2, allows to change that behavior. If enabled, all the lines that could apply to the calling user will be treated as if they were a single line.

(Since this is not the standard interpretation of /etc/limits, administrators should review carefully the contents of that file on their system before enabling this feature, to make sure they are not inadvertently giving an user more privileges than they originally intended.)

About the program running as setuid root

ulimits must run as setuid root for two reasons. First, the limits(5) page says that the /etc/limits file should be readable only by root. Second, only a privileged process can set the resource limits to arbitrary values; an unprivileged process can only set them to lower values than the default limits.

When called in “exec mode”, root privileges are dropped once the limits are set and before exec’ing the specified program.

Copying

Ulimits is distributed under the terms of the GNU General Public License, version 3 or higher. The full license is included in the COPYING file of the source distribution.

Homepage and repository

The project homepage, where release tarballs may be found, is located at https://incenp.org/dvlpt/ulimits.html. The latest source code is available at https://git.incenp.org/damien/ulimits.git.

Releases

ulimits-0.3.2.tar.gz (application/gzip, 104K, signature)

ulimits-0.3.3.tar.gz (application/gzip, 117K, signature)

Source Mage users, please note that a “spell” for ulimits is already available in your “grimoire” (as utils/ulimits), thanks to Vlad Glagolev.