users-limiting.html

这是很好的学习嵌入式LINUX的文章

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Limiting Users</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Users and Basic Account Management" href="users.html" />
<link rel="PREVIOUS" title="Modifying Accounts" href="users-modifying.html" />
<link rel="NEXT" title="Personalizing Users" href="users-personalizing.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="users-modifying.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 13 Users and Basic Account
Management</td>
<td width="10%" align="right" valign="bottom"><a href="users-personalizing.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="USERS-LIMITING" name="USERS-LIMITING">13.7 Limiting
Users</a></h1>

<p>If you have users, the ability to limit their system use may have come to mind.
FreeBSD provides several ways an administrator can limit the amount of system resources
an individual may use. These limits are divided into two sections: disk quotas, and other
resource limits.</p>

<p>Disk quotas limit disk usage to users, and they provide a way to quickly check that
usage without calculating it every time. Quotas are discussed in <a
href="quotas.html">Section 16.14</a>.</p>

<p>The other resource limits include ways to limit the amount of CPU, memory, and other
resources a user may consume. These are defined using login classes and are discussed
here.</p>

<p>Login classes are defined in <tt class="FILENAME">/etc/login.conf</tt>. The precise
semantics are beyond the scope of this section, but are described in detail in the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=login.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span></a> manual
page. It is sufficient to say that each user is assigned to a login class (<var
class="LITERAL">default</var> by default), and that each login class has a set of login
capabilities associated with it. A login capability is a <var class="LITERAL"><var
class="REPLACEABLE">name</var>=<var class="REPLACEABLE">value</var></var> pair, where
<var class="REPLACEABLE">name</var> is a well-known identifier and <var
class="REPLACEABLE">value</var> is an arbitrary string processed accordingly depending on
the name. Setting up login classes and capabilities is rather straight-forward and is
also described in <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=login.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span></a>.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The system does not read the configuration in <tt
class="FILENAME">/etc/login.conf</tt> directly, but reads the database file <tt
class="FILENAME">/etc/login.conf.db</tt>. To generate <tt
class="FILENAME">/etc/login.conf.db</tt> from <tt class="FILENAME">/etc/login.conf</tt>,
execute the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cap_mkdb /etc/login.conf</kbd>
</pre>
</blockquote>
</div>

<p>Resource limits are different from plain vanilla login capabilities in two ways.
First, for every limit, there is a soft (current) and hard limit. A soft limit may be
adjusted by the user or application, but may be no higher than the hard limit. The latter
may be lowered by the user, but never raised. Second, most resource limits apply per
process to a specific user, not the user as a whole. Note, however, that these
differences are mandated by the specific handling of the limits, not by the
implementation of the login capability framework (i.e., they are not <span
class="emphasis"><i class="EMPHASIS">really</i></span> a special case of login
capabilities).</p>

<p>And so, without further ado, below are the most commonly used resource limits (the
rest, along with all the other login capabilities, may be found in <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=login.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span></a>).</p>

<div class="VARIABLELIST">
<dl>
<dt><var class="LITERAL">coredumpsize</var></dt>

<dd>
<p>The limit on the size of a core file generated by a program is, for obvious reasons,
subordinate to other limits on disk usage (e.g., <var class="LITERAL">filesize</var>, or
disk quotas). Nevertheless, it is often used as a less-severe method of controlling disk
space consumption: since users do not generate core files themselves, and often do not
delete them, setting this may save them from running out of disk space should a large
program (e.g., <b class="APPLICATION">emacs</b>) crash.</p>
</dd>

<dt><var class="LITERAL">cputime</var></dt>

<dd>
<p>This is the maximum amount of CPU time a user's process may consume. Offending
processes will be killed by the kernel.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> This is a limit on CPU <span class="emphasis"><i
class="EMPHASIS">time</i></span> consumed, not percentage of the CPU as displayed in some
fields by <a href="http://www.FreeBSD.org/cgi/man.cgi?query=top&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">top</span>(1)</span></a> and <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ps&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ps</span>(1)</span></a>. A limit on the
latter is, at the time of this writing, not possible, and would be rather useless: a
compiler--probably a legitimate task--can easily use almost 100% of a CPU for some
time.</p>
</blockquote>
</div>

<br />
<br />
</dd>

<dt><var class="LITERAL">filesize</var></dt>

<dd>
<p>This is the maximum size of a file the user may possess. Unlike <a
href="quotas.html">disk quotas</a>, this limit is enforced on individual files, not the
set of all files a user owns.</p>
</dd>

<dt><var class="LITERAL">maxproc</var></dt>

<dd>
<p>This is the maximum number of processes a user may be running. This includes
foreground and background processes alike. For obvious reasons, this may not be larger
than the system limit specified by the <var class="VARNAME">kern.maxproc</var> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sysctl&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sysctl</span>(8)</span></a>. Also note
that setting this too small may hinder a user's productivity: it is often useful to be
logged in multiple times or execute pipelines. Some tasks, such as compiling a large
program, also spawn multiple processes (e.g., <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=make&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">make</span>(1)</span></a>, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=cc&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">cc</span>(1)</span></a>, and other
intermediate preprocessors).</p>
</dd>

<dt><var class="LITERAL">memorylocked</var></dt>

<dd>
<p>This is the maximum amount a memory a process may have requested to be locked into
main memory (e.g., see <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mlock&sektion=2"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mlock</span>(2)</span></a>). Some
system-critical programs, such as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=amd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">amd</span>(8)</span></a>, lock into main
memory such that in the event of being swapped out, they do not contribute to a system's
trashing in time of trouble.</p>
</dd>

<dt><var class="LITERAL">memoryuse</var></dt>

<dd>
<p>This is the maximum amount of memory a process may consume at any given time. It
includes both core memory and swap usage. This is not a catch-all limit for restricting
memory consumption, but it is a good start.</p>
</dd>

<dt><var class="LITERAL">openfiles</var></dt>

<dd>
<p>This is the maximum amount of files a process may have open. In FreeBSD, files are
also used to represent sockets and IPC channels; thus, be careful not to set this too
low. The system-wide limit for this is defined by the <var
class="VARNAME">kern.maxfiles</var> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sysctl&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sysctl</span>(8)</span></a>.</p>
</dd>

<dt><var class="LITERAL">sbsize</var></dt>

<dd>
<p>This is the limit on the amount of network memory, and thus mbufs, a user may consume.
This originated as a response to an old DoS attack by creating a lot of sockets, but can
be generally used to limit network communications.</p>
</dd>

<dt><var class="LITERAL">stacksize</var></dt>

<dd>
<p>This is the maximum size a process' stack may grow to. This alone is not sufficient to
limit the amount of memory a program may use; consequently, it should be used in
conjunction with other limits.</p>
</dd>
</dl>
</div>

<p>There are a few other things to remember when setting resource limits. Following are
some general tips, suggestions, and miscellaneous comments.</p>

<ul>
<li>
<p>Processes started at system startup by <tt class="FILENAME">/etc/rc</tt> are assigned
to the <var class="LITERAL">daemon</var> login class.</p>
</li>

<li>
<p>Although the <tt class="FILENAME">/etc/login.conf</tt> that comes with the system is a
good source of reasonable values for most limits, only you, the administrator, can know
what is appropriate for your system. Setting a limit too high may open your system up to
abuse, while setting it too low may put a strain on productivity.</p>
</li>

<li>
<p>Users of the X Window System (X11) should probably be granted more resources than
other users. X11 by itself takes a lot of resources, but it also encourages users to run
more programs simultaneously.</p>
</li>

<li>
<p>Remember that many limits apply to individual processes, not the user as a whole. For
example, setting <var class="VARNAME">openfiles</var> to 50 means that each process the
user runs may open up to 50 files. Thus, the gross amount of files a user may open is the
value of <var class="LITERAL">openfiles</var> multiplied by the value of <var
class="LITERAL">maxproc</var>. This also applies to memory consumption.</p>
</li>
</ul>

<p>For further information on resource limits and login classes and capabilities in
general, please consult the relevant manual pages: <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=cap_mkdb&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">cap_mkdb</span>(1)</span></a>, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=getrlimit&sektion=2"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">getrlimit</span>(2)</span></a>, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=login.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span></a>.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="users-modifying.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="users-personalizing.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Modifying Accounts</td>
<td width="34%" align="center" valign="top"><a href="users.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Personalizing Users</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>