Find out limits of other user

Question

On CentOS 6.4 / 64 bit - how to find the limits of the user "nobody"?

Because I can not just su - nobody and call ulimit -a:

# id nobody
uid=99(nobody) gid=99(nobody) groups=99(nobody)

# su - nobody
This account is currently not available.

UPDATE:

I am asking: how to call ulimit -a for the CentOS user nobody, so that I can adjust /etc/security/limits.conf in regard to the max number of open files for that user.

EVEN MORE DETAILS:

I have a perl script (a non-forking TCP-sockets based card game daemon) which is being started by init (I've created a file for it: /etc/init/my_card_game.conf), but then drops super user privilleges and runs as nobody:

sub drop_privs {
        my ($uid, $gid) = (getpwnam('nobody'))[2, 3];
        die "User nobody not found\n" unless $uid && $gid;

        umask(0);
        chdir('/tmp') or die "Can not chdir to /tmp: $!\n";
        #chroot('/tmp') or die "Can not chroot to /tmp: $!\n";

        # try to set the real, effective and save uid
        setgid($gid) or die "Can not set gid to $gid: $!\n";
        setuid($uid) or die "Can not set uid to $uid: $!\n";
        # try to regain privileges - this should fail
        die "Not able to drop privileges\n" if setuid(0) || setgid(0);
}

I want to make sure it has a big enough max number of nofiles - so that it can serve all connected clients.

You are asking how to figure out something that does not exist. There no limits of a user. Only processes have limits. As you know, what limits a process gets doesn't depend entirely on its user but on how the process is created. — David Schwartz, Jul 17 '13 at 11:39
I am asking: how to call "ulimit -a" for the CentOS user "nobody" — Alexander Farber, Jul 17 '13 at 11:50
You can't. Users don't have ulimits. Only processes do. What ulimit a process owned by "nobody" will have depends on how it is created, as (it seems) you already knew when you asked the question. — David Schwartz, Jul 17 '13 at 11:51
@DavidSchwartz: You can very much limit a user, e.g. to a total amount of processes. This limits are displayed by `ulimit` and are *not* tied to a process, but a user. — Sven, Jul 17 '13 at 12:03
@SvW: The limits displayed by `ulimit` are the limits of the current process. — David Schwartz, Jul 17 '13 at 12:07

David Schwartz · Accepted Answer · 2013-07-17T12:13:38.020

1

The limits must be raised before privileges are dropped since privileges are needed to raise hard resource limits. You can add code to your script to do it. But the easiest way is to make a shell script that launches your perl script. The shell script can use ulimit since it will still have privileges. (Users have nothing to do with this. Resource limits are attributes of processes.)

edited Jul 17 '13 at 12:13

answered Jul 17 '13 at 12:08

David Schwartz

31,215
2
53
82

What about the file `/etc/security/limits.conf` doesn't it describe limits for users? – Alexander Farber Jul 17 '13 at 12:14
1

No. It describes limits for login sessions -- groups of processes. Sometimes the distinction isn't important, so we can afford to be imprecise. But this question shows how that can lead people astray. – David Schwartz Jul 17 '13 at 12:18
What happens when I call `su - postgres` (that user has a login shell) and `ulimit -a`? I can see the limits for that user – Alexander Farber Jul 17 '13 at 12:48
1

You can see the limits for the login session. If they were the limits for the user, you would also see them if you don't use the `-` parameter to `su` since the user would be the same. The limits on a process (or login session, depending on which limit we're talking about) are determined by how that process was created. It inherits its parent's limits, if privileged it can raise them, and it can lower them if it chooses. – David Schwartz Jul 17 '13 at 12:48
So for my perl daemon, should I set the `nofiles` in `/etc/init/my_game.conf` or in `/etc/security/limits.d/90-nproc.conf`? – Alexander Farber Jul 17 '13 at 12:58
I'm not familiar enough with your distribution to know the best way to do it with your distribution's launch scheme. You can try it each way. – David Schwartz Jul 17 '13 at 13:29

score -1 · Answer 2 · answered Dec 04 '15 at 08:11

-1

The -u flag to ulimit, from the ulimit man page:

-u The maximum number of processes available to a single user

In RedHat / CentOS, the file /etc/security/limits.conf describes the per-user limits. So if you are running out of file descriptors for a particular user (eg your apache "nobody" user), you can add a line to the end of that file (by default it's empty). Increasing this from 4096 to 32768 solved a problem for us on a ColdFusion 10 / apache 2.2 / RedHat server.

answered Dec 04 '15 at 08:11

andrew lorien

391
2
10

While correct, this doesn't answer his question. He's not interested in the per-user limits enforced by PAM during login. – David Schwartz Dec 04 '15 at 09:23
The problem described in "even more details" is almost identical to the problem we had. To diagnose, we had to solve the problem described in "update". I think my answer is correct for Alexander's comment 'I am asking: how to call "ulimit -a" for the CentOS user "nobody" ' – andrew lorien Dec 07 '15 at 01:50
Except it's clear from context that he doesn't mean when the user logs in. – David Schwartz Dec 07 '15 at 08:37
ulimit -u nobody will show the current maximum processes, any time. – andrew lorien Dec 09 '15 at 04:30

Find out limits of other user

2 Answers2