7

One of our user has been compiling their own program within their home directory. Normally we don't mind, but this particular program has a memory leak and eats into the SWAP. We have told this user many times not to run the program and yet she wouldn't listen.

Is there a simple way of blocking a certain program from running?

lbanz
  • 1,609

3 Answers3

24

Two ways:

  • Use limits.conf to assign the maximum allotted memory per process for that user
  • Create a cgroup for that user in order to limit their total memory usage

More details here: https://unix.stackexchange.com/questions/34334/how-to-create-a-user-with-limited-ram-usage

Community
  • 1
NoNoNo
  • 1,973
  • 4
    I'm not a fan of technological solutions here. The user has demonstrated a willingness to harm the server and its other user, despite repeated warnings. IT shouldn't be doing extra work to keep them in jail, the user should lose access and probably be fired if they're an employee. – ceejayoz Jul 20 '16 at 20:49
  • 6
    One should also have a system that enforces policy, rather than just banning users after the fact. – Jesse K Jul 20 '16 at 21:03
  • 6
    @ceejayoz Or, if one must implement a technological solution, at least have some fun with it. "You say that when you ran your program again, it deleted all your files? Weird. Well, we told you not to run it again, didn't we?" – HopelessN00b Jul 20 '16 at 21:09
  • I think annoying would be eough to solve the matter. Something in the line of resetting password so she has to make a walk/call everytime. – dryman Jul 21 '16 at 08:35
  • 3
    I would take this as a solution. I know most people agree that we should just ban the user for stop them from logging onto the servers. Unfortunately it doesn't work like that in a scientific research environment. – lbanz Jul 21 '16 at 11:09
  • @lbanz My sympathies. While that's a tough spot, a professor who ruined a lecture hall regularly so subsequent classes couldn't use it would probably see themselves sanctioned. If it's possible to go to their supervisor/dean to get them reprimanded, it'd probably be worthwhile. – ceejayoz Jul 21 '16 at 14:55
11

You are trying to solve a human problem via technical means. This person is knowingly violating policy. The appropriate response is to (as @ceejayoz wisely mentioned above) get rid of that user, or at the very least, remove access to the system in question and any others like it.

EEAA
  • 109,904
4

If you have home directories on a separate partition you can mount the partition with noexec. Although I'd also agree to just ban the user.

bodgit
  • 4,771