| View previous topic :: View next topic |
| Author |
Message |
Guayasil
n00b
Joined: 30 Nov 2006
Posts: 71
|
 Posted: Fri Feb 12, 2010 9:40 am Post subject: /etc/security/limits.conf ? |
 |
|
The primary group for all ordinary users of my server is 'users'. I've set two limits for fork bomb protection
@users hard nproc 128
@users hard maxlogins 16
With those setting my apache (which was extremely stable) every 1-2 days got out of resources and crashed. I removed those settings and now it's OK. Tried once again -- the same result. The problem is that apache is not a member of the 'users' group and I don't understand why those settings affect it. Can anyone explain it to me?
Best regards, |
|
| Back to top |
|
 |
tgR10
Apprentice
Joined: 23 Oct 2007
Posts: 262
Location: caly ten ambaras
|
| Posted: Fri Feb 12, 2010 10:29 am Post subject: |
|
|
duno why, but to fix this issue
edit apache init script so the startup section will look like this
| Quote: | start() {
checkconfig || return 1
[ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache
ulimit -u unlimited
ebegin "Starting ${SVCNAME}"
${APACHE2} ${APACHE2_OPTS} -k start
i=0
while [ ! -e "${PIDFILE}" ] && [ $i -lt ${TIMEOUT} ]; do
sleep 1 && i=$(expr $i + 1)
done
test $i -le ${TIMEOUT}
eend $?
} |
_________________
"bo kto ma racje ? ten kto z bliska zobaczy"
"moge nie wiedziec,wchlaniam niewiedze z malych torebek"
http://i12.tinypic.com/4pow0mu.png
http://userbar.tgr.debil.eu/userbar.jpg |
|
| Back to top |
|
|
Rexilion
Veteran
Joined: 17 Mar 2009
Posts: 1044
|
| Posted: Fri Feb 12, 2010 6:05 pm Post subject: |
|
|
| tgR10 wrote: | | ulimit -u unlimited |
[/quote]
Isn't that another security problem? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Feb 13, 2010 4:25 am Post subject: |
|
|
How do you start your Apache server? It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.
Rexilion: it could be, yes. The full answer depends on whether or not the Apache in question could encounter a scenario that caused it to engage in a fork bomb. I would probably set the process limit to a limited value, though higher than the one which is presently causing trouble. Adjust it accordingly based on whether the new limit fixes the reported failure. |
|
| Back to top |
|
|
Guayasil
n00b
Joined: 30 Nov 2006
Posts: 71
|
| Posted: Sat Feb 13, 2010 7:49 am Post subject: |
|
|
| Hu wrote: | How do you start your Apache server? It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.
|
Just:
| Code: | | rc-update add apache default |
and
| Code: | su -
/etc/init.d/apache restart |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Feb 13, 2010 6:10 pm Post subject: |
|
|
| Guayasil wrote: | | Hu wrote: | It is possible that it was started by a user who had been restricted, and therefore Apache inherited the restriction.
|
| Code: | su -
/etc/init.d/apache restart |
|
Exactly! Let the init system start Apache on its own, patch the init script to relax the rlimit settings that your root shell imposed, or change your root profile settings to relax the rlimit settings as part of the root login process (via .bash_profile or .bashrc). |
|
| Back to top |
|
|
|
Networking & Security
