2

You can set memory usage limits for standard Linux applications in: /etc/security/limits.conf

Unfortunately, I previously thought these limits only apply to user applications and not system services. This means that users can by bypass their limits by launching applications through a system service such as screen. I'd like to know if it's possible to let users use screen but still enforce application limits.

Jeff had the great idea of using nohup which obeys user limits (wonderful!), but I would still like to know if it's possible to mimic the useful windowing features of screen.

EDIT:

It seems my screen sessions are now obeying my hard address space limits defined in /etc/security/limits.conf. I must have been making some mistake. I recently installed cpulimit, but I doubt that's the solution.Thanks for the nohup tip, Jeff! It's very useful.

Link to CPU Limit package

xikkub
  • 149
  • 1
  • 9
  • 1
    If you give someone access to your system, the fact that they are able to spawn processes is not an exploit. I'd rephrase the title of your question. – gparent Apr 05 '12 at 17:59
  • The exploit comes from users being able to circumvent limits defined in `limits.conf` by using `screen`. I think the term "exploit" is appropriate. – xikkub Apr 05 '12 at 18:01
  • 3
    Which limits are they able to circumvent, exactly? – Kyle Smith Apr 05 '12 at 20:11
  • Address space limits, CPU time, number of locks, and others as defined in `limits.conf`. Link here: http://linux.die.net/man/5/limits.conf – xikkub Apr 05 '12 at 22:18

1 Answers1

2

I'm not going to comment on whether that's an actual 'exploit' or intended behavior, but the work-around for this situation is to not allow access to screen. If they/you need to run a process while they're logged out they could use nohup.

Jeff Welling
  • 422
  • 1
  • 4
  • 11