Steven Borrelli wrote: > How can I (being root) prevent other users from changing their ulimit? > I know this is possible in UNIX, but I'm not sure about Linux .... You can't prevent them from changing the limits; you can only impose a "cap" (a hard limit) on how much of the system resources any user can use. A user process can still change (lower, for example) its own limits. *How* you do this, be it on a commercial Unix system, Linux of whatever flavour, or a *BSD system, seems to me to be implementation specific. See the "limits" manual page on Slackware (and other, perhaps?) Linux systems for an example of one possibility. I hope this helps ... -- ---------------------------------------------------------------------- Sylvain Robitaille syl@alcor.concordia.ca Systems and Network analyst Concordia University Instructional & Information Technology Montreal, Quebec, Canada ----------------------------------------------------------------------

On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.security, in article <1194494735.248243.325540@d55g2000hsg.googlegroups.com>, Steven Borrelli wrote: NOTE: Posting from groups.google.com (or some web-forums) dramatically reduces the chance of your post being seen. Find a real news server. And please don't post the same question to multiple newsgroups. >How can I (being root) prevent other users from changing their ulimit? You can't. They can _reduce_ their limits, or increase them up to the limits you set, but it's not easy to prevent anyone from changing them below those maximum limits. >I know this is possible in UNIX, but I'm not sure about Linux (i.e. >Slackware, SUSE). By the way, how would I do it in UNIX? (i.e. >Solaris, Darwin, or FreeBSD) It's a _shell_ function, not an O/S. You're probably running a Bourne type shell (sh, bash, ksh, or similar), and for that the built-in command is 'ulimit'. For a 'c' type shell (csh, tcsh, and similar), the command is 'limit'. Limits are set in a login shell - so if you are using a text based login and a Bourne shell, use /etc/profile. If using a 'csh' shell, use ~/.login in the users home directory. If using a 'tcsh' shell, see the man page, as things vary as a function of how the shell is compiled. For a _GUI_ login (runlevel 5 in an Linux Standard Base compliant distribution)[1], you need to look at the man page for the display manager used (gdm, kdm, wdm, xdm, etc.) as they usually do NOT use a shell as the place to set things - .xinitrc, .xsession, or similar - often in the user's home directory. For those files that set the limits but are located _in_ the user's home directory, you need to change ownership of that/those files to root:root, and set the 'sticky bit' on the directory itself (chmod 1750 /home/mumble) so that only the file _owner_ can delete the file. Bottom line - see the man page for the shell used, and read the sections about limits and shell invocation. Old guy [1] Mandriva 2008 is an exception. The GUI login shell scripts source ~/.bash_profile - which isn't much good in a 'csh' environment, but is a start.