Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
/etc/security/limits.conf ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Guayasil
n00b
n00b


Joined: 30 Nov 2006
Posts: 71

PostPosted: Fri Feb 12, 2010 9:40 am    Post subject: /etc/security/limits.conf ? Reply with quote

The primary group for all ordinary users of my server is 'users'. I've set two limits for fork bomb protection

@users hard nproc 128
@users hard maxlogins 16

With those setting my apache (which was extremely stable) every 1-2 days got out of resources and crashed. I removed those settings and now it's OK. Tried once again -- the same result. The problem is that apache is not a member of the 'users' group and I don't understand why those settings affect it. Can anyone explain it to me?

Best regards,
Back to top
View user's profile Send private message
tgR10
Apprentice
Apprentice


Joined: 23 Oct 2007
Posts: 262
Location: caly ten ambaras

PostPosted: Fri Feb 12, 2010 10:29 am    Post subject: Reply with quote

duno why, but to fix this issue
edit apache init script so the startup section will look like this
Quote:
start() {
checkconfig || return 1

[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
ulimit -u unlimited
ebegin "Starting ${SVCNAME}"
${APACHE2} ${APACHE2_OPTS} -k start

i=0
while [ ! -e "${PIDFILE}" ] && [ $i -lt ${TIMEOUT} ]; do
sleep 1 && i=$(expr $i + 1)
done

test $i -le ${TIMEOUT}
eend $?
}

_________________
"bo kto ma racje ? ten kto z bliska zobaczy"
"moge nie wiedziec,wchlaniam niewiedze z malych torebek"
http://i12.tinypic.com/4pow0mu.png
http://userbar.tgr.debil.eu/userbar.jpg
Back to top
View user's profile Send private message
Rexilion
Veteran
Veteran


Joined: 17 Mar 2009
Posts: 1044

PostPosted: Fri Feb 12, 2010 6:05 pm    Post subject: Reply with quote

tgR10 wrote:
ulimit -u unlimited
[/quote]

Isn't that another security problem?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15995

PostPosted: Sat Feb 13, 2010 4:25 am    Post subject: Reply with quote

How do you start your Apache server? It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.

Rexilion: it could be, yes. The full answer depends on whether or not the Apache in question could encounter a scenario that caused it to engage in a fork bomb. I would probably set the process limit to a limited value, though higher than the one which is presently causing trouble. Adjust it accordingly based on whether the new limit fixes the reported failure.
Back to top
View user's profile Send private message
Guayasil
n00b
n00b


Joined: 30 Nov 2006
Posts: 71

PostPosted: Sat Feb 13, 2010 7:49 am    Post subject: Reply with quote

Hu wrote:
How do you start your Apache server? It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.


Just:
Code:
rc-update add apache default

and
Code:
su -
/etc/init.d/apache restart
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15995

PostPosted: Sat Feb 13, 2010 6:10 pm    Post subject: Reply with quote

Guayasil wrote:
Hu wrote:
It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.
Code:
su -
/etc/init.d/apache restart
Exactly! Let the init system start Apache on its own, patch the init script to relax the rlimit settings that your root shell imposed, or change your root profile settings to relax the rlimit settings as part of the root login process (via .bash_profile or .bashrc).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum