The purpose of /etc/profile.d/limit.sh

[s2s]

Can I ask what is the purpose of /etc/profile.d/limit.sh (and /etc/profile.d/limit.sch) ?
Linux already has /etc/security/limit.conf (and any individual profiles under /etc/profile.d/ ) for configuring systemwide limits.

Also, why are all users other than root assigned a measly nproc limit of 35?
I have a VPS that runs mail / web / ftp and I each time I try to SSH in using the hosting account user I get

bash: fork: Resource temporarily unavailable

ps shows about 30 instances of dovecot/imapd running (which would be about right for the number of mail accounts connecting).
...so this would leave the user with only 5 more process forks?

I have tried increasing this limit to a more sensible limit but nothing seems to work. Are there any other hidden configs/scripts that cPanel uses to control ulimit?

I have edited /etc/security/limit.conf , /etc/profile.d/limit.sh , /etc/profile.d/limit.sh and /etc/profile.d/limit.sch - rebooted and still the user is limited to nproc 35.

 

[cPanelMichael]

Hello

Check to see if shell fork bomb protection is enabled via:

"WHM Home » Security Center » Shell Fork Bomb Protection"

Thank you.

 

[s2s]

Hi Michael,

Yes it is enabled.
Doesn't this still allow modifying the ulimit?

 

[cPanelMichael]

You can manually modify the settings imposed by shell fork bomb protection using the instructions from this post:

Shell Fork Bomb Protection Exceptions

Thank you.

 

[s2s]

You can manually modify the settings imposed by shell fork bomb protection using the instructions from this post:

Shell Fork Bomb Protection Exceptions

Thank you.

Hi Michael,

Thanks, I have edited the /etc/profile file and have scheduled a reboot.
I noticed this is exactly the same as /etc/profile.d/limits.sh (and /etc/profile.d/limits.csh in C) - can I ask why so many exist and their purpose?

I have now edited:
/etc/security/limit.conf

admin   soft    nofile  4096
admin   hard    nofile  10240

/etc/security/limits.d/90-nproc.conf

admin   soft    nproc   1024
admin   hard    nproc   2048

/etc/profile.d/limit.sh

#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
elif [ "$LIMITUSER" = "admin" ]; then
        ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
    	ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev$
fi
#cPanel Added Limit Protections -- END

/etc/profile.d/limit.sch

#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 35
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else if ( "$LIMITUSER" = "admin" ) then
        limit descriptors 100
        limit maxproc 1024
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else
    	limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END

/etc/profile

...........
#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
elif [ "$LIMITUSER" = "admin" ]; then
        ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/$
fi
#cPanel Added Limit Protections -- END

 

[s2s]

OK so the system rebooted last night and still today the nproc limit is 35 ?

[admin@myvps ~]$ ulimit -u
35

So there must be some other configuration or script that is controlling this (along with / apart from the other 5).

 

[cPanelMichael]

Feel free to open a support ticket if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[s2s]

Hi Michael,

Ticket number: 4566359

Edit: if you really need access, let me know (I refused it initially)

 

[cPanelMichael]

To update, the /etc/profile.d/limits.csh file was updated to:

##########
#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" = "admin" ) then
        limit descriptors 100
        limit maxproc 1024
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 35
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000 
else
        limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END
##########

Thank you.

 

[s2s]

OK so I configured the change and scheduled a reboot - the limit still remains the same.

[admin@442248 ~]$ ulimit -u
35
[admin@442248 ~]$ cat /etc/profile.d/limits.csh 
##########
#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" = "admin" ) then
        limit descriptors 100
        limit maxproc 1024
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 35
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000 
else
        limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END
##########

Now that I realise the error in my logic I will go back and apply the changes to all previously mentioned file, in the hope that one of them actually controls this setting.

 

[s2s]

Nope, still not working.

[admin@442248 ~]$ ulimit -u
35
[admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
[admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
[admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
[admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable

Is it worthwhile re-opening the ticket I submitted?

- - - Updated - - -

Here are all the configs:

[root@442248 ~]# cat /etc/security/limits.conf | grep admin
admin	soft	nofile	1024
admin	hard	nofile	2048

[root@442248 ~]# cat /etc/security/limits.d/90-nproc.conf | grep admin
admin	soft    nproc   1024
admin	hard    nproc   2048

[root@442248 ~]# cat /etc/profile.d/limits.sh
#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" = "admin" ]; then
       ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
elif [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END

[root@442248 ~]# cat /etc/profile.d/limits.csh
##########
#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" = "admin" ) then
        limit descriptors 100
        limit maxproc 1024
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 35
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000 
else
        limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END
##########

[root@442248 ~]# cat /etc/profile
# /etc/profile

# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc

# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.

pathmunge () {
    case ":${PATH}:" in
        *:"$1":*)
            ;;
        *)
            if [ "$2" = "after" ] ; then
                PATH=$PATH:$1
            else
                PATH=$1:$PATH
            fi
    esac
}


if [ -x /usr/bin/id ]; then
    if [ -z "$EUID" ]; then
        # ksh workaround
        EUID=`id -u`
        UID=`id -ru`
    fi
    USER="`id -un`"
    LOGNAME=$USER
    MAIL="/var/spool/mail/$USER"
fi

# Path manipulation
if [ "$EUID" = "0" ]; then
    pathmunge /sbin
    pathmunge /usr/sbin
    pathmunge /usr/local/sbin
else
    pathmunge /usr/local/sbin after
    pathmunge /usr/sbin after
    pathmunge /sbin after
fi

HOSTNAME=`/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
    export HISTCONTROL=ignoreboth
else
    export HISTCONTROL=ignoredups
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL

# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 002
else
    umask 022
fi

for i in /etc/profile.d/*.sh ; do
    if [ -r "$i" ]; then
        if [ "${-#*i}" != "$-" ]; then
            . "$i"
        else
            . "$i" >/dev/null 2>&1
        fi
    fi
done

unset i
unset pathmunge
#cPanel Added local::lib -- BEGIN
LOCALLIBUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LOCALLIBUSER=`/usr/bin/whoami`
fi
if [ "$LOCALLIBUSER" != "root" ]; then
    eval $(perl -Mlocal::lib)
fi
#cPanel Added local::lib -- END
#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" = "admin" ]; then
        ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
elif [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END

 

[cPanelMichael]

Yes, please reply to the existing ticket that you opened for further assistance.

Thank you.

 

[s2s]

Hi Michael, I have re-opened the ticket for further investigation.

May I note one thing - almost exactly one week after opening the ticket with cPanel Support I start receiving extrememly high volume of SMTPauth failure attacks. Normally our server would report roughly 1 - 2 per month, but since the ticket opening, our server has been reporting 20 per day (all to the same account provided in the support ticket).

I'm not placing any blame, just covering all bases. May be worth doing a check on the support system (encryption, etc)?

Keith

 

[cPanelMichael]

I don't suspect it's at all related to the support ticket, but free to mention that note in the ticket and one of our analysts will address it.

Thank you.

 

[s2s]

The issue has finally been resolved. Turns out there was yet another config controlling the settings (/etc/bashrc) .

To confirm, the configs were changed to:

##########
#cPanel Added Limit Protections -- BEGIN
setenv LIMITUSER $USER
if ( -e /usr/bin/whoami ) then
        setenv LIMITUSER `whoami`
endif
if ( "$LIMITUSER" == "admin" ) then
        limit descriptors 100
        limit maxproc 1024
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else if ( "$LIMITUSER" != "root" ) then
        limit descriptors 100
        limit maxproc 45
        limit memoryuse 200000
        limit datasize 200000
        limit stacksize 8192
        limit coredumpsize 200000
else
        limit descriptors 4096
        limit maxproc 14335
        limit memoryuse unlimited
:q        limit datasize unlimited
        limit stacksize 8192
        limit coredumpsize 1000000
endif
#cPanel Added Limit Protections -- END
##########

And the overriding systemwide bash config:

#cPanel Added Limit Protections -- BEGIN

#unlimit so we can run the whoami
ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" == "admin" ]; then
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
elif [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi
#cPanel Added Limit Protections -- END