Frequently Asked Question

What does /etc/security/limits.conf do and when do I need it?

/etc/security/limits.conf is the configuration file for pam_limits, the PAM module that sets per-user resource limits (the things ulimit -a reports) when a session is created. Lines look like webapp hard nofile 65535, that is, "user webapp may open at most 65535 file descriptors, and is not allowed to raise the limit". The knobs cover open files, address-space size, CPU time, processes, locked memory, and core-file size, among others. Drop-in files in /etc/security/limits.d/ are usually the more maintainable place to put per-application overrides.

The defensive use is twofold. First, raising limits to support genuine workloads: a database that opens tens of thousands of sockets, a build server with many parallel compilers. Second, capping limits to contain damage: refusing fork bombs by limiting nproc, refusing memory-exhaustion attacks by limiting as, refusing accidental multi-gigabyte cores by setting core 0. A modest cap on nproc for ordinary shell users is the canonical defence against the classic :(){ :|:& };: and its modern equivalents.

One pitfall: pam_limits only applies to processes started through PAM (login, sshd, su, cron), not to services started directly by systemd. For those, use the unit's LimitNOFILE=, LimitNPROC=, and friends, which are the systemd equivalent and apply regardless of PAM.