Memory issue running PHP scripts from Jailshell account

[Sindre]

I have recently run into a problem where PHP scripts will not run correctly from a Jailshell SSH prompt, e.g.:

php -f myscript.php

The following error appears in the error_log:

Code:

PHP Fatal error:  Out of memory (allocated 20447232) (tried to allocate 4096 bytes) in myscript.php

The out of memory error triggers at exactly 20447232 bytes each time.

I have raised the memory_limit in php.ini to 256M or 512M, and the script outputs the correct memory limit when doing a echo ini_get('memory_limit').

The script completes without problems when run as root.

This leads me to believe the issue is somehow related to a non-PHP specific memory limit within the Jailshell environment.

I notice that the ulimit -v (virtual memory) is set to 200000 for the Jailshell account and unlimited for root. I don't know if this has anything to do with it, and neither am I able to raise the value for the jailshell.

Any help would be greatly appreciated!

Thanks in advance.

[wizzy420]

Same problem here.

Even though once inside jailshell any version of:

php -i
php-cli -i

etc. shows memory_limit as 96M

yet PHP craps out saying can't allocate more than 32M

seems to be some memory limitation with jailshell.

Any solutions?

[Sindre]

I really hope someone from cPanel team can comment on this, as it is starting to become a problem.

[cpanelkenneth]

Jailshell is a constrained environment by design. It is not meant to be a replacement for a full-featured, unrestricted, shell environment, such as is provided by Bash. If your user's need such full-featured environments then perhaps they need full shell access, or another method whereby they can accomplish their goal.

[wizzy420]

Is this 32MB something that is imposed in the source code of jailshell prior to forking off the bash shell?

Is it possible to get the source code so we could just change this and compile our own version?

[wizzy420]

Okay, the problem isn't jailshell.

It is cPanel's "Fork Bomb Protection"

Because of a bug in cPanel which does not disable (or enable!!!) protection once a user has a mount in virtfs you can not simply disable protection.

You can fix this by going into a particular users /home/virtfs/USERNAME/etc/bashrc and editing the "ulimit" line to increase allowed RAM allocation.

Others should note that if you should ever enable Fork Bomb/Memory protection *after* a server has been live, cPanel fails to turn it on for users that already have a virtfs system and you will still be unprotected.

cPanel should probably fix that.

Note that you should probably pick a sane value, and not simply mass change things to "unlimited"

W

[wizzy420]

Sindre,

Did you get a chance to try solution above?

[cpanelkenneth]

Okay, the problem isn't jailshell.

It is cPanel's "Fork Bomb Protection"

Because of a bug in cPanel which does not disable (or enable!!!) protection once a user has a mount in virtfs you can not simply disable protection.

You can fix this by going into a particular users /home/virtfs/USERNAME/etc/bashrc and editing the "ulimit" line to increase allowed RAM allocation.

Others should note that if you should ever enable Fork Bomb/Memory protection *after* a server has been live, cPanel fails to turn it on for users that already have a virtfs system and you will still be unprotected.

cPanel should probably fix that.

Note that you should probably pick a sane value, and not simply mass change things to "unlimited"

W

Thank you for reporting this.

[wizzy420]

Thank you for reporting this.

May have been premature ... jailshell seems to ignore bashrc limit line, perhaps the limit command is hardcoded into jailshell source?

[cpanelkenneth]

May have been premature ... jailshell seems to ignore bashrc limit line, perhaps the limit command is hardcoded into jailshell source?

Here's what happens:

1. Enabling Fork Bomb protection installs a limits.sh file /etc/profile.d/limits.sh
2. The limits.sh file contains the ulimit calls
3. When a Jailshell user logs in after Fork Bomb protection is enabled, the limits.sh is copied to /home/virtfs/user/etc/profile.d/limits.sh
4. When Fork Bomb protection is disabled /etc/profile.d/limits.sh is removed
5. /home/virtfs/etc/profile.d/limits.sh is never removed

[bfritton]

Is this still an issue with the current WHM version? I'm having trouble getting php scripts to run from cli.

[DomineauX]

Yes this problem does still exist.
also when shell fork bomb protection is enabled, changing a user from jailshell to normal shell via WHM "Manage Shell Access" doesn't actually change the user to normal shell. Disabling shell fork bomb protection then allows you to actually change the user to normal shell.

[cPanelKevin]

Actually after just digging around trying to resolve a memory issue the ulimit settings are inherited from /etc/profile when Shell Fork Bomb Protection is enabled.

Code:

#cPanel Added Limit Protections -- BEGIN
#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 268435456 -d 200000 -s 8192 -c 200000 -v 268435456 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END

Then saved in /home/virtfs/$username/etc/profile

If you enable/disable shell fork bomb protection then your changes are wiped out and have to be redone.