Steve Graegert wrote:
1. /etc/security/limits.conf tells the kernel what and how much resources a user/group can use on a particular system. It can be seen as a quota
I have a couple of questions on this. The /etc/security/limits.conf file and the ulimit seem to only limit the amount of processes per user. Can you also limit the amount of processes that this system itself is allowed to concurrently run? I realize that in most cases this would cause undesirable effects, but I am thinking about this from a security standpoint. Say you do a benchmark a web server and determine the maximum amount of processes needed. You could then impose a limit to help prevent remote code execution or buffer overflow exploits, because new processes would not be allowed to start. (OT, or is there a way to create a white list of allowed processes?). Also, are changes to the limits.conf file immediate, or does a service need to be restarted for any changes to take effect? You could create a script that oversees requests for processes, check the request against a white list, then update the limits.conf file to allow an additional process. Is this a good idea, or is my logic flawed? - James W.