Back to main index


Understanding the ulimit output

cat /etc/security/limits.conf

#<domain>      <type>  <item>           <value>
# enforce system limits (better security ?)
*               soft    core             0              # no core dump
*               hard    data             8192000        # 8GB max heap
*               hard    fsize            50000000       #50GB max file size
#memlock - only root can do it
*               soft    nofile           1024           # bash enforced limit for maxim open files
*               hard    nofile           4096           # kernel enforced limit
#rss - appeared in 2.6 series, now removed due to problems
*               soft    stack            8192           # 8MB stack size (soft)
*               hard    stack            16384          #16MB stack size (maxim)
#cpu - kills the process when its total execution time has exceeded the limit
*               soft    nproc            2000           # high proc limit (soft)
*               hard    nproc            8000           # max proc limit (kernel)
*               soft    as               8200192        # 8.2GB, data+stack (shell)
*               hard    as               8208384        # 8.2GB, data+stack (kernel)
#maxlogins      - maxim of ttyX & ptr/X (tty1,tty2,pts/0,pts/2,etc)
#maxsyslogins   - no limitation
#priority       - alter the niceness of processes of a user
#locks          - default
#sigpending     - default
#msgqueue       - default
#nice           - default
#rtprio         - default

And in case the first link will be unavailable in the future, here is a copy paste.

CPU TIME - Limits the number of CPU seconds a process can use (not
clock seconds).  CPU time is the amount of time the CPU actual spends
executing processor instructions and is often much less than the total
program "runs time".  A program that did math for 10 seconds would use
a lot of CPU time, where as a program that simply paused for 10
seconds before display a message would use next to none. 

When a process exceeds the soft CPU time limit it will be sent a XCPU
signal (and terminated if the signal isn't caught).  When it exceeds
the hard limit it will be sent a kill signal.

VIRTUAL MEMORY SIZE - the most useful of the memory-related
limitations, because it includes all types of memory, including the
stack, the heap, and memory-mapped files. Attempts to allocate memory
in excess of this limit will fail with an out-of-memory error.
Specified in kilobytes, in the bash shell, as found in Linux and many
other systems. The maximum virtual memory size is for a single process.

DATA SEGMENT SIZE - Limits the amount of memory that a process can
allocate on the heap, as with malloc, calloc, C++ "new," and most
object creation in higher-level languages. Specified in kilobytes, in
the bash shell, as found in Linux and many other systems.

STACK SIZE - Limits the amount of memory a process can allocate on the
stack, as in the case of local variables in C, C++ and many other
languages. Limiting the stack size stops runaway recursive function
calls; however, it is possible to legitimately allocate large arrays
of data on the stack without unreasonable recursion. Specified in
kilobytes, in the bash shell, as found in Linux and many other

FILE SIZE - Limits the maximum size of any one file a process can
create. Specified in 512-byte blocks, in the bash shell, as found in
Linux and many other systems.

MAX USER PROCESSES - limits the number of processes the current user
is permitted to have in the process table at one time. Attempts to
start additional processes will fail.

OPEN FILES - limits the number of file descriptors belonging to a
single process. "File descriptors" includes not only files but also
sockets for Internet communication. Attempts to open additional file
descriptors will fail.

CORE FILE SIZE - Limits the size of a "core" file left behind when a
process encounters a segmentation fault or other unexpected fatal
error. Core files are images of the entire memory space used by the
process at the time of the crash, and can be used to examine the state
of the process at that time with a debugger, such as gdb. In most
cases core files are of limited utility if the process was not
compiled with debugging flags enabled. Disabling core files with a
core file size limit of zero is reasonable when the processes expected
are not C/C++ applications compiled with -g or similar or no such
debugging capability is desired. Specified in 512-byte blocks.

LOCKED MEMORY - this parameter limits the maximum amount of memory
that can be "locked down" to a specific address in physical memory by
a given process. In practice, only the root user can lock memory in
this fashion. Specified in kilobytes, in the bash shell, as found in
Linux and many other systems.

MAX RESIDENT SET SIZE - this parameter limits the amount of memory
that can be "swapped in" to physical RAM on behalf of any one process.
While patches have been offered, this limit is not actually enforced
in mainstream Linux kernels; it briefly appeared in the 2.6 series but
has been removed for now due to problems. Specified in kilobytes, in
the bash shell, as found in Unix and many other systems.

MAX TOTAL SOCKET BUFFER SIZE - this parameter limits the total amount
of memory that may be taken up by buffers holding network data on
behalf of a given process. Originated as a response to
denial-of-service attacks which worked by initiating large numbers of
connections and flooding them with input; the operating system would
buffer this data patiently while waiting for the receiving process to
cope with it. Implemented in FreeBSD; not implemented in Linux, which
does not address this issue via a configurable limit. Specified in

PIPE SIZE - when two Unix processes communicate via a pipe or FIFO
(first in first out) buffer, as in the simple case of paging through a
directory listing with the command "ls | more", the output of the
first command is buffered before transmission to the second. The size
of this buffer, in bytes, is the pipe size. This is typically not an
adjustable parameter, except at kernel compile time.

Back to main index