The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Memory issue running PHP scripts from Jailshell account

Discussion in 'General Discussion' started by Sindre, Aug 5, 2009.

  1. Sindre

    Sindre Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I have recently run into a problem where PHP scripts will not run correctly from a Jailshell SSH prompt, e.g.:

    php -f myscript.php

    The following error appears in the error_log:

    Code:
    PHP Fatal error:  Out of memory (allocated 20447232) (tried to allocate 4096 bytes) in myscript.php
    The out of memory error triggers at exactly 20447232 bytes each time.

    I have raised the memory_limit in php.ini to 256M or 512M, and the script outputs the correct memory limit when doing a echo ini_get('memory_limit').

    The script completes without problems when run as root.

    This leads me to believe the issue is somehow related to a non-PHP specific memory limit within the Jailshell environment.

    I notice that the ulimit -v (virtual memory) is set to 200000 for the Jailshell account and unlimited for root. I don't know if this has anything to do with it, and neither am I able to raise the value for the jailshell.

    Any help would be greatly appreciated!

    Thanks in advance.
     
  2. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Same problem here.

    Even though once inside jailshell any version of:

    php -i
    php-cli -i

    etc. shows memory_limit as 96M

    yet PHP craps out saying can't allocate more than 32M

    seems to be some memory limitation with jailshell.

    Any solutions?
     
  3. Sindre

    Sindre Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I really hope someone from cPanel team can comment on this, as it is starting to become a problem.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Jailshell is a constrained environment by design. It is not meant to be a replacement for a full-featured, unrestricted, shell environment, such as is provided by Bash. If your user's need such full-featured environments then perhaps they need full shell access, or another method whereby they can accomplish their goal.
     
  5. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Is this 32MB something that is imposed in the source code of jailshell prior to forking off the bash shell?

    Is it possible to get the source code so we could just change this and compile our own version?
     
  6. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Okay, the problem isn't jailshell.

    It is cPanel's "Fork Bomb Protection"

    Because of a bug in cPanel which does not disable (or enable!!!) protection once a user has a mount in virtfs you can not simply disable protection.

    You can fix this by going into a particular users /home/virtfs/USERNAME/etc/bashrc and editing the "ulimit" line to increase allowed RAM allocation.

    Others should note that if you should ever enable Fork Bomb/Memory protection *after* a server has been live, cPanel fails to turn it on for users that already have a virtfs system and you will still be unprotected.

    cPanel should probably fix that.

    Note that you should probably pick a sane value, and not simply mass change things to "unlimited"

    W
     
  7. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Sindre,

    Did you get a chance to try solution above?
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thank you for reporting this.
     
  9. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    May have been premature ... jailshell seems to ignore bashrc limit line, perhaps the limit command is hardcoded into jailshell source?
     
  10. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Here's what happens:

    1. Enabling Fork Bomb protection installs a limits.sh file /etc/profile.d/limits.sh
    2. The limits.sh file contains the ulimit calls
    3. When a Jailshell user logs in after Fork Bomb protection is enabled, the limits.sh is copied to /home/virtfs/user/etc/profile.d/limits.sh
    4. When Fork Bomb protection is disabled /etc/profile.d/limits.sh is removed
    5. /home/virtfs/etc/profile.d/limits.sh is never removed
     
  11. bfritton

    bfritton Registered

    Joined:
    Nov 29, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Is this still an issue with the current WHM version? I'm having trouble getting php scripts to run from cli.
     
  12. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Yes this problem does still exist.
    also when shell fork bomb protection is enabled, changing a user from jailshell to normal shell via WHM "Manage Shell Access" doesn't actually change the user to normal shell. Disabling shell fork bomb protection then allows you to actually change the user to normal shell.
     
  13. Kevinfrom

    Kevinfrom Well-Known Member

    Joined:
    Jan 18, 2008
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Actually after just digging around trying to resolve a memory issue the ulimit settings are inherited from /etc/profile when Shell Fork Bomb Protection is enabled.

    Code:
    #cPanel Added Limit Protections -- BEGIN
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 268435456 -d 200000 -s 8192 -c 200000 -v 268435456 2>/dev/null
    else
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    fi
    #cPanel Added Limit Protections -- END

    Then saved in /home/virtfs/$username/etc/profile

    If you enable/disable shell fork bomb protection then your changes are wiped out and have to be redone.
     
Loading...

Share This Page