The /etc/security/limits.conf file is a critical system configuration that controls resource allocation for user processes in Linux. Unlike traditional documentation suggests, its parameters have nuanced behaviors that deserve deeper exploration.
Let's clarify the priority-related parameters first:
# Example configuration for priority controls
* hard rtprio 10 # Max realtime priority
developer soft priority -5 # Base priority boost- rtprio: Maximum realtime priority (1-99) for non-root processes (SCHED_RR/SCHED_FIFO)
- priority: Base priority level (-20 to 19) where negative values increase priority
- nice: Maximum nice adjustment allowed (-20 to 19) for process priority tuning
These control physical resource consumption:
# Resource limit examples
@webusers hard cpu 30 # 30 minutes CPU time
dbadmin - memlock 8192 # 8MB locked memory| Parameter | Description | Default | Unit |
|---|---|---|---|
| data | Max data segment size | ULONG_MAX | KB |
| fsize | Max file size | ULONG_MAX | KB |
| cpu | Max CPU time | RLIM_INFINITY | Minutes |
| memlock | Locked memory | 64KB (varies) | KB |
When limits are exceeded:
- CPU limit: Process receives SIGXCPU at soft limit, SIGKILL at hard limit
- Memory limits: malloc() returns NULL and sets errno to ENOMEM
- File limits: write() fails with EFBIG error
For web server processes:
# Apache/Nginx worker limits
www-data soft nofile 4096
www-data hard nofile 16384
www-data hard as unlimitedFor database systems:
# PostgreSQL configuration
postgres hard memlock unlimited
postgres soft fsize 1GB
postgres hard nproc 5000Check applied limits using:
# View current process limits
cat /proc/$$/limits
# Test specific user's limits
su - username -c "ulimit -a"Remember that changes require new login sessions. For systemd services, use Limit* directives in unit files instead.
The /etc/security/limits.conf file controls resource limits in Linux systems through PAM (Pluggable Authentication Modules). Here's a detailed breakdown of key parameters:
# Format: <domain> <type> <item> <value>
* hard rtprio 0
@developers soft nice -10
dbuser hard memlock 500000
rtprio vs priority:
rtprio: Maximum realtime priority (1-99) for non-root processes (SCHED_FIFO/SCHED_RR)priority: Standard nice-based priority (-20 to 19, negative values increase priority)
# Example setting realtime priority limit
* hard rtprio 10 # Allows max priority 10 for realtime processes
| Parameter | Description | Default | Unit |
|---|---|---|---|
| data | Max data segment size | unlimited | KB |
| fsize | Max file size | unlimited | KB |
| memlock | Max locked memory | 64KB (soft), unlimited (hard) | KB |
| cpu | Max CPU time | unlimited | minutes |
| nproc | Max processes | varies by system | count |
Database server configuration example:
# PostgreSQL user limits
postgres hard nproc 10000
postgres hard memlock 4194304 # 4GB
postgres hard nofile 65536
postgres soft fsize unlimited
Developer workstation example:
# Developer group limits
@devteam hard core unlimited
@devteam soft nproc 4000
@devteam hard stack 32768
System responses to limit violations:
- CPU limit: Process receives SIGXCPU signal (configurable action)
- Memory limit: Process receives SIGKILL (OOM killer may intervene)
- File size: System calls return EFBIG error
- Process count: fork() fails with EAGAIN
Check applied limits with:
# View soft limits
ulimit -Sa
# View hard limits
ulimit -Ha
# View specific limit (e.g., max user processes)
ulimit -u
For per-process customization, use /etc/security/limits.d/ directory. Example:
# /etc/security/limits.d/99-web-server.conf
www-data hard nofile 16384
www-data soft as unlimited
Remember that changes require re-authentication (new login sessions) or can be applied immediately using pam_limits.so with session required pam_limits.so in PAM configuration.