Memory issue running PHP scripts from Jailshell account

Sindre

Well-Known Member
Aug 25, 2008
46
0
56
I have recently run into a problem where PHP scripts will not run correctly from a Jailshell SSH prompt, e.g.:

php -f myscript.php

The following error appears in the error_log:

Code:
PHP Fatal error:  Out of memory (allocated 20447232) (tried to allocate 4096 bytes) in myscript.php
The out of memory error triggers at exactly 20447232 bytes each time.

I have raised the memory_limit in php.ini to 256M or 512M, and the script outputs the correct memory limit when doing a echo ini_get('memory_limit').

The script completes without problems when run as root.

This leads me to believe the issue is somehow related to a non-PHP specific memory limit within the Jailshell environment.

I notice that the ulimit -v (virtual memory) is set to 200000 for the Jailshell account and unlimited for root. I don't know if this has anything to do with it, and neither am I able to raise the value for the jailshell.

Any help would be greatly appreciated!

Thanks in advance.
 

wizzy420

Well-Known Member
Nov 13, 2007
127
2
68
Same problem here.

Even though once inside jailshell any version of:

php -i
php-cli -i

etc. shows memory_limit as 96M

yet PHP craps out saying can't allocate more than 32M

seems to be some memory limitation with jailshell.

Any solutions?
 

Sindre

Well-Known Member
Aug 25, 2008
46
0
56
I really hope someone from cPanel team can comment on this, as it is starting to become a problem.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Jailshell is a constrained environment by design. It is not meant to be a replacement for a full-featured, unrestricted, shell environment, such as is provided by Bash. If your user's need such full-featured environments then perhaps they need full shell access, or another method whereby they can accomplish their goal.
 

wizzy420

Well-Known Member
Nov 13, 2007
127
2
68
Is this 32MB something that is imposed in the source code of jailshell prior to forking off the bash shell?

Is it possible to get the source code so we could just change this and compile our own version?
 

wizzy420

Well-Known Member
Nov 13, 2007
127
2
68
Okay, the problem isn't jailshell.

It is cPanel's "Fork Bomb Protection"

Because of a bug in cPanel which does not disable (or enable!!!) protection once a user has a mount in virtfs you can not simply disable protection.

You can fix this by going into a particular users /home/virtfs/USERNAME/etc/bashrc and editing the "ulimit" line to increase allowed RAM allocation.

Others should note that if you should ever enable Fork Bomb/Memory protection *after* a server has been live, cPanel fails to turn it on for users that already have a virtfs system and you will still be unprotected.

cPanel should probably fix that.

Note that you should probably pick a sane value, and not simply mass change things to "unlimited"

W
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Okay, the problem isn't jailshell.

It is cPanel's "Fork Bomb Protection"

Because of a bug in cPanel which does not disable (or enable!!!) protection once a user has a mount in virtfs you can not simply disable protection.

You can fix this by going into a particular users /home/virtfs/USERNAME/etc/bashrc and editing the "ulimit" line to increase allowed RAM allocation.

Others should note that if you should ever enable Fork Bomb/Memory protection *after* a server has been live, cPanel fails to turn it on for users that already have a virtfs system and you will still be unprotected.

cPanel should probably fix that.

Note that you should probably pick a sane value, and not simply mass change things to "unlimited"

W
Thank you for reporting this.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
May have been premature ... jailshell seems to ignore bashrc limit line, perhaps the limit command is hardcoded into jailshell source?
Here's what happens:

1. Enabling Fork Bomb protection installs a limits.sh file /etc/profile.d/limits.sh
2. The limits.sh file contains the ulimit calls
3. When a Jailshell user logs in after Fork Bomb protection is enabled, the limits.sh is copied to /home/virtfs/user/etc/profile.d/limits.sh
4. When Fork Bomb protection is disabled /etc/profile.d/limits.sh is removed
5. /home/virtfs/etc/profile.d/limits.sh is never removed
 

bfritton

Registered
Nov 29, 2010
1
0
51
Is this still an issue with the current WHM version? I'm having trouble getting php scripts to run from cli.
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
Yes this problem does still exist.
also when shell fork bomb protection is enabled, changing a user from jailshell to normal shell via WHM "Manage Shell Access" doesn't actually change the user to normal shell. Disabling shell fork bomb protection then allows you to actually change the user to normal shell.
 

Kevinfrom

Well-Known Member
Jan 18, 2008
47
1
56
Actually after just digging around trying to resolve a memory issue the ulimit settings are inherited from /etc/profile when Shell Fork Bomb Protection is enabled.

Code:
#cPanel Added Limit Protections -- BEGIN
#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 268435456 -d 200000 -s 8192 -c 200000 -v 268435456 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END

Then saved in /home/virtfs/$username/etc/profile

If you enable/disable shell fork bomb protection then your changes are wiped out and have to be redone.