deploy

Member
Oct 26, 2009
5
0
51
We have several servers using Cpanel/WHM. We use a typical LAMP setup and have apace 2 with php 5. We are using mod_php (SU PHP) so that individual files can be owned by the user account. But the problem we are running into is some of our hosting account users, are crashing the server because they are using up all of the system resources.

How can I limit a user from being able to use 99% of the cpu and memory of the server?
 

deploy

Member
Oct 26, 2009
5
0
51
I have tracked it down to the problem hosting accounts, if they install a cms such as drupal or joomla most php scripts will be pushed through their index.php so this is the only script that will be logged under process monitors like top or mysql memory usage, correct ? At that point it would be hard to determine which add on inside the cms is causing the problem, but mostly its poorly written code and non optimized database.

If I have tracked it down to the user level. Is there not a way to say ex: this account can utilize 256mb memory and 12% cpu max so that way they can not crash the server?
 

deploy

Member
Oct 26, 2009
5
0
51
I found /etc/profile.d/limit.sh to be used by the ulimit command.

It looks like it will do what I want it to do, output of (as the user) ulimit -a

core file size (blocks, -c) 200000
data seg size (kbytes, -d) 200000
file size (blocks, -f) unlimited
pending signals (-i) 1024
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) 200000
open files (-n) 100
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 20
virtual memory (kbytes, -v) 200000
file locks (-x) unlimited



The output of the limits.sh:

#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
else
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END



Since this seems to be a cPanel added section, if I make changes such as change the -n 100 to -n 50 how would I trigger cPanel to run this script on all the user accounts or will it only apply to newly created accounts ?
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Last edited:

deploy

Member
Oct 26, 2009
5
0
51
The following non-cPanel configuration file may also be of interest; however, please use caution when considering configuration options within this file as it could (has the potential to) break or excessively restrict normal activity and usage depending on the custom security limits and settings implemented:
Code:
/etc/security/limits.conf
Documentation reference:
A Linux-PAM page
The Linux-PAM System Administrators' Guide
6.15.*pam_limits - limit resources
Pam-list Info Page

Thank you, I found this limit file, But from what I can tell it is used with PAM and the other is used with ulimit is that correct ?

however I am still confused on if I make changes in theses files, especially the /etc/profile.d/limit.sh When will these setting go into effect and will I need to do anything to apply them to current users ?
 

deploy

Member
Oct 26, 2009
5
0
51
cPanelDon Thank you for the documentation. I read through the links and installed the patch for easyApache. Because we are using su_php it stated that we needed to apply a patch to Apache inorder for PAM to work.

I have not recompiled Apache with this patch enabled due to the warning from the patch description inside easyApache.

"This patch allows users to be authorized to use suphp with pam. It also allows /etc/security/*.conf to be used in conjunction with suPHP. This patch does not properly close its PAM sessions, does not do any verification or checks when linking against PAM and will probably make suPHP slower if it happens to work on your box. See the 'More Info' link for the patch's origin This option will make the following changes to your profile prior to the build:

Enables:
Mod SuPHP"

I am not sure if I can use the documents or /etc/security/limits.conf if they are utilizing PAM.

Do you suggest using this patch despite the messages?
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Do you suggest using this patch despite the messages?
I would not use the custom patch to the Apache source. At most I would consider using EasyApache to have the build include SuPHP (if it's not included already), and once the build is finished, ensure both SuExec and SuPHP are enabled.

After ensuring your Apache build has SuPHP included, the following menu path in WHM may be used to ensure both SuPHP and SuExec are enabled:
WHM: Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration
 

LinuxFreaky

Well-Known Member
Sep 22, 2001
87
0
306
cPanelDon, you would not recommend installing that patch? But you had mentioned using /etc/security/limits.conf earlier. How would that apply to web users if this patch isn't even enabled?

Btw, I've installed the patch and compiled it via EasyApache. But it doesn't seem to be working. There were no errors reported and Apache still works fine. The limit works when I use ssh and log in as the user though, just not via the web.

This is what I put in /etc/security/limits.conf :
bobble hard nproc 1

bobble is the username I want to restrict.
 
Last edited:

ReiJu

Well-Known Member
Mar 14, 2008
57
1
58
I use the patch mentioned by LinuxFreaky on my server, but the limit for suphp is not working. I even made /etc/pam.d/{suphp,su_PHP,php,httpd} with the suggested content, but nothing happened. It's unusable, I guess. CMIIW.