Environment

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

Getting Error su: cannot set user id: Resource temporarily unavailable error while trying to su or to login as a local user. This error is also observed when logging in as a user on the console and using the SSH.

Resolution

  • Check /etc/security/limits.conf and all files in /etc/security/limits.d/ for the current setting of the nproc value
  • Extend the nproc value. This can be done in /etc/security/limits.conf or in any file in a file in /etc/security/limits.d/.
  • Example of /etc/security/limits.conf:
<username>      -      nproc          <limit number>

e.g.
testuser         -      nproc          10240
  • In Red Hat Enterprise Linux 6, there’s a default setting in /etc/security/limits.d/90-nproc.conf. Change the default limit for all users or add a new limit for the affected user
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     1024
testuser   soft    nproc     10240    <== add

Root Cause

  • The user fails to log in because an EAGAIN error occurs if the user’s number of executing threads has reached the nproc resource limit.

    Note: Despite the name, this is a limit on threads, not processes.

  • This error may occur if user’s nproc limit is set to /etc/security/limits.conf.
  • In Red Hat Enterprise Linux 6, this error occurs even if the limit is not explicitly set because the default configuration for all users is set in /etc/security/limits.d/90-nproc.conf.

Diagnostic Steps

  • Check nproc and nofile in /etc/security/limits.conf for the user.
  • Log in as this user and run ulimit -u:
    $ ulimit -u
    120831

 

  • Look at /proc/sys/kernel/threads-max:
    # cat /proc/sys/kernel/threads-max
    241663

 

  • Look at the number of user processes(threads)
    # ps -u testuser -L | wc -l
    103

 

  • Look at /var/log/secure:
      su: pam_keyinit(su-l:session): Unable to change UID to 24074 temporarily 
      su: pam_keyinit(su-l:session): Unable to change UID to 24074 temporarily

 

  • Look at strace. Run strace -ttTvfo /tmp/su.strace su - testuser:
      23318 10:35:59.758440 setgid(24075)     = 0 <0.000005>
      23318 10:35:59.758471 setuid(24074)     = -1 EAGAIN (Resource temporarily unavailable) <0.000018>