Defines process resource limits for users.
The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values.
If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits:
| Resource | Hard Value |
|---|---|
| Core Size | unlimited |
| CPU Time | cpu |
| Data Size | unlimited |
| File Size | fsize |
| Memory Size | unlimited |
| Stack Size | unlimited |
| File Descriptors | unlimited |
If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values.
You can set the following limits on a user:
| Limit | Description |
|---|---|
| fsize | Identifies the soft limit for the largest file a user's process can create or extend. |
| core | Specifies the soft limit for the largest core file a user's process can create. |
| cpu | Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use. |
| data | Identifies the soft limit for the largest process data segment for a user's process. |
| stack | Specifies the soft limit for the largest process stack segment for a user's process. |
| rss | Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system. |
| nofiles | Sets the soft limit for the number of file descriptors a user process may have open at one time. |
| core_hard | Specifies the largest core file a user's process can create. |
| cpu_hard | Sets the largest amount of system unit time (in seconds) that a user's process can use. |
| data_hard | Identifies the largest process data segment for a user's process. |
| fsize_hard | Identifies the largest file a user's process can create or extend. |
| rss_hard | Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system. |
| stack_hard | Specifies the largest process stack segment for a user's process. |
| nofiles_hard | Sets the soft limit for the number of file descriptors a user process may have open at one time. |
| totalCPU | The total amount of CPU time allowed for each process in the class. This is specified as an integer with the units intended (s for seconds, m for minutes, h for hours, d for days, and w for weeks). |
| totalDiskIO | The total amount of DiskIO allowed for each process in the class. This is specified as an integer with the units intended (KB for kilobytes, MB for megabytes, TB for terabytes, PB for petabytes, and EB for exabytes). |
| totalProcesses | The maximum number of processes allowed in the class. If an operation would result in a new process entering the class when the class has this many processes in it, the operation will fail. |
| totalThreads | The maximum number of threads allowed in the class. If an operation would result in a new thread entering the class when the class has this many threads in it, the operation will fail. The total thread limit must be at least as large as the total process limit for a class. If a class has a total thread limit but no total process limit specified, the total process limit will be set to the total thread limit. |
| totalLogins | The total number of login sessions simultaneously available in the class. If a user tries to log onto the system and the login shell would end up in a class that has reached the totalLogins limit, the login operation will fail. Also, if an operation would cause a login shell to be moved into a class that has reached the totalLogins limit, the operation will also fail. |
| totalConnectTime | The maximum amount of time a login session in the class can stay active. This is specified as an integer with the units intended (s for seconds, m for minutes, h for hours, d for days, and w for weeks). As a user approaches this connection time limit, WLM will send warning messages. When the limit is reached, the user will be notified and the login session will be terminated. |
Except for the cpu attribute, each attribute must be a decimal integer string representing the number of 512-byte blocks allotted to the user. The cpu attribute is a decimal integer string representing the amount of system unit time in seconds. For an example of a limits file stanza, see the "Examples" section .
When you create a user with the mkuser command, the system adds a stanza for the user to the limits file. Once the stanza exists, you can use the chuser command to change the user's limits. To display the current limits for a user, use the lsuser command. To remove users and their stanzas, use the rmuser command.
Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access only to the root user. Access for other users and groups depends upon the security policy for the system.
Auditing Events:
| Event | Information |
|---|---|
| S_LIMITS_WRITE | file name |
A typical record looks like the following example for user dhs:
dhs:
fsize = 8192
core = 4096
cpu = 3600
data = 1272
stack = 1024
rss = 1024
nofiles = 2000
| /etc/security/limits | Specifies the path to the file. |
| /etc/group | Contains the basic group attributes. |
| /etc/security/group | Contains the extended attributes of groups. |
| /etc/passwd | Contains the basic user attributes. |
| /etc/security/passwd | Contains password information. |
| /etc/security/user | Contains the extended attributes of users. |
| /etc/security/environ | Contains the environment attributes of users. |
| /etc/security/audit/config | Contains audit-system configuration information. |
| /usr/lib/security/mkuser.default | Contains the default values for user accounts. |
| /etc/security/lastlog | Contains last login information. |
The chuser command, lsuser command, mkuser command, rmuser command.
The enduserdb subroutine, getuserattr subroutine, IDtouser subroutine, nextuser subroutine, putuserattr subroutine, setuserdb subroutine.
File and System Security Overview in AIX 5L Version 5.2 System User's Guide: Operating System and Devices.