The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The purpose of /etc/profile.d/limit.sh

Discussion in 'Security' started by s2s, Feb 6, 2014.

  1. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Can I ask what is the purpose of /etc/profile.d/limit.sh (and /etc/profile.d/limit.sch) ?
    Linux already has /etc/security/limit.conf (and any individual profiles under /etc/profile.d/ ) for configuring systemwide limits.

    Also, why are all users other than root assigned a measly nproc limit of 35?
    I have a VPS that runs mail / web / ftp and I each time I try to SSH in using the hosting account user I get

    Code:
    bash: fork: Resource temporarily unavailable
    ps shows about 30 instances of dovecot/imapd running (which would be about right for the number of mail accounts connecting).
    ...so this would leave the user with only 5 more process forks?

    I have tried increasing this limit to a more sensible limit but nothing seems to work. Are there any other hidden configs/scripts that cPanel uses to control ulimit?

    I have edited /etc/security/limit.conf , /etc/profile.d/limit.sh , /etc/profile.d/limit.sh and /etc/profile.d/limit.sch - rebooted and still the user is limited to nproc 35.
     
    #1 s2s, Feb 6, 2014
    Last edited: Feb 6, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Yes it is enabled.
    Doesn't this still allow modifying the ulimit?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Thanks, I have edited the /etc/profile file and have scheduled a reboot.
    I noticed this is exactly the same as /etc/profile.d/limits.sh (and /etc/profile.d/limits.csh in C) - can I ask why so many exist and their purpose?

    I have now edited:
    /etc/security/limit.conf
    Code:
    admin   soft    nofile  4096
    admin   hard    nofile  10240
    
    /etc/security/limits.d/90-nproc.conf
    Code:
    admin   soft    nproc   1024
    admin   hard    nproc   2048
    /etc/profile.d/limit.sh
    Code:
    #cPanel Added Limit Protections -- BEGIN
    
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    elif [ "$LIMITUSER" = "admin" ]; then
            ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    else
        	ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev$
    fi
    #cPanel Added Limit Protections -- END
    
    /etc/profile.d/limit.sch
    Code:
    #cPanel Added Limit Protections -- BEGIN
    setenv LIMITUSER $USER
    if ( -e /usr/bin/whoami ) then
            setenv LIMITUSER `whoami`
    endif
    if ( "$LIMITUSER" != "root" ) then
            limit descriptors 100
            limit maxproc 35
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else if ( "$LIMITUSER" = "admin" ) then
            limit descriptors 100
            limit maxproc 1024
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else
        	limit descriptors 4096
            limit maxproc 14335
            limit memoryuse unlimited
            limit datasize unlimited
            limit stacksize 8192
            limit coredumpsize 1000000
    endif
    #cPanel Added Limit Protections -- END
    /etc/profile
    Code:
    ...........
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    elif [ "$LIMITUSER" = "admin" ]; then
            ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    else
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/$
    fi
    #cPanel Added Limit Protections -- END
    
     
  6. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK so the system rebooted last night and still today the nproc limit is 35 ?

    Code:
    [admin@myvps ~]$ ulimit -u
    35
    So there must be some other configuration or script that is controlling this (along with / apart from the other 5).
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  8. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Ticket number: 4566359

    Edit: if you really need access, let me know (I refused it initially)
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, the /etc/profile.d/limits.csh file was updated to:

    Code:
    ##########
    #cPanel Added Limit Protections -- BEGIN
    setenv LIMITUSER $USER
    if ( -e /usr/bin/whoami ) then
            setenv LIMITUSER `whoami`
    endif
    if ( "$LIMITUSER" = "admin" ) then
            limit descriptors 100
            limit maxproc 1024
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else if ( "$LIMITUSER" != "root" ) then
            limit descriptors 100
            limit maxproc 35
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000 
    else
            limit descriptors 4096
            limit maxproc 14335
            limit memoryuse unlimited
            limit datasize unlimited
            limit stacksize 8192
            limit coredumpsize 1000000
    endif
    #cPanel Added Limit Protections -- END
    ##########
    Thank you.
     
  10. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK so I configured the change and scheduled a reboot - the limit still remains the same.

    Code:
    [admin@442248 ~]$ ulimit -u
    35
    [admin@442248 ~]$ cat /etc/profile.d/limits.csh 
    ##########
    #cPanel Added Limit Protections -- BEGIN
    setenv LIMITUSER $USER
    if ( -e /usr/bin/whoami ) then
            setenv LIMITUSER `whoami`
    endif
    if ( "$LIMITUSER" = "admin" ) then
            limit descriptors 100
            limit maxproc 1024
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else if ( "$LIMITUSER" != "root" ) then
            limit descriptors 100
            limit maxproc 35
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000 
    else
            limit descriptors 4096
            limit maxproc 14335
            limit memoryuse unlimited
            limit datasize unlimited
            limit stacksize 8192
            limit coredumpsize 1000000
    endif
    #cPanel Added Limit Protections -- END
    ##########
    
    Now that I realise the error in my logic I will go back and apply the changes to all previously mentioned file, in the hope that one of them actually controls this setting.
     
  11. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Nope, still not working.

    Code:
    [admin@442248 ~]$ ulimit -u
    35
    [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: Resource temporarily unavailable
    [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: Resource temporarily unavailable
    [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: Resource temporarily unavailable
    [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: retry: Resource temporarily unavailable
    -bash: fork: Resource temporarily unavailable
    Is it worthwhile re-opening the ticket I submitted?

    - - - Updated - - -

    Here are all the configs:

    Code:
    [root@442248 ~]# cat /etc/security/limits.conf | grep admin
    admin	soft	nofile	1024
    admin	hard	nofile	2048
    
    [root@442248 ~]# cat /etc/security/limits.d/90-nproc.conf | grep admin
    admin	soft    nproc   1024
    admin	hard    nproc   2048
    
    [root@442248 ~]# cat /etc/profile.d/limits.sh
    #cPanel Added Limit Protections -- BEGIN
    
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" = "admin" ]; then
           ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    elif [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    else
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    fi
    #cPanel Added Limit Protections -- END
    
    [root@442248 ~]# cat /etc/profile.d/limits.csh
    ##########
    #cPanel Added Limit Protections -- BEGIN
    setenv LIMITUSER $USER
    if ( -e /usr/bin/whoami ) then
            setenv LIMITUSER `whoami`
    endif
    if ( "$LIMITUSER" = "admin" ) then
            limit descriptors 100
            limit maxproc 1024
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else if ( "$LIMITUSER" != "root" ) then
            limit descriptors 100
            limit maxproc 35
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000 
    else
            limit descriptors 4096
            limit maxproc 14335
            limit memoryuse unlimited
            limit datasize unlimited
            limit stacksize 8192
            limit coredumpsize 1000000
    endif
    #cPanel Added Limit Protections -- END
    ##########
    
    [root@442248 ~]# cat /etc/profile
    # /etc/profile
    
    # System wide environment and startup programs, for login setup
    # Functions and aliases go in /etc/bashrc
    
    # It's NOT a good idea to change this file unless you know what you
    # are doing. It's much better to create a custom.sh shell script in
    # /etc/profile.d/ to make custom changes to your environment, as this
    # will prevent the need for merging in future updates.
    
    pathmunge () {
        case ":${PATH}:" in
            *:"$1":*)
                ;;
            *)
                if [ "$2" = "after" ] ; then
                    PATH=$PATH:$1
                else
                    PATH=$1:$PATH
                fi
        esac
    }
    
    
    if [ -x /usr/bin/id ]; then
        if [ -z "$EUID" ]; then
            # ksh workaround
            EUID=`id -u`
            UID=`id -ru`
        fi
        USER="`id -un`"
        LOGNAME=$USER
        MAIL="/var/spool/mail/$USER"
    fi
    
    # Path manipulation
    if [ "$EUID" = "0" ]; then
        pathmunge /sbin
        pathmunge /usr/sbin
        pathmunge /usr/local/sbin
    else
        pathmunge /usr/local/sbin after
        pathmunge /usr/sbin after
        pathmunge /sbin after
    fi
    
    HOSTNAME=`/bin/hostname 2>/dev/null`
    HISTSIZE=1000
    if [ "$HISTCONTROL" = "ignorespace" ] ; then
        export HISTCONTROL=ignoreboth
    else
        export HISTCONTROL=ignoredups
    fi
    
    export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
    
    # By default, we want umask to get set. This sets it for login shell
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
    else
        umask 022
    fi
    
    for i in /etc/profile.d/*.sh ; do
        if [ -r "$i" ]; then
            if [ "${-#*i}" != "$-" ]; then
                . "$i"
            else
                . "$i" >/dev/null 2>&1
            fi
        fi
    done
    
    unset i
    unset pathmunge
    #cPanel Added local::lib -- BEGIN
    LOCALLIBUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LOCALLIBUSER=`/usr/bin/whoami`
    fi
    if [ "$LOCALLIBUSER" != "root" ]; then
        eval $(perl -Mlocal::lib)
    fi
    #cPanel Added local::lib -- END
    #cPanel Added Limit Protections -- BEGIN
    
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" = "admin" ]; then
            ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    elif [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    else
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    fi
    #cPanel Added Limit Protections -- END
    
    
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  13. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael, I have re-opened the ticket for further investigation.

    May I note one thing - almost exactly one week after opening the ticket with cPanel Support I start receiving extrememly high volume of SMTPauth failure attacks. Normally our server would report roughly 1 - 2 per month, but since the ticket opening, our server has been reporting 20 per day (all to the same account provided in the support ticket).

    I'm not placing any blame, just covering all bases. May be worth doing a check on the support system (encryption, etc)?

    Keith
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I don't suspect it's at all related to the support ticket, but free to mention that note in the ticket and one of our analysts will address it.

    Thank you.
     
  15. s2s

    s2s Member

    Joined:
    Nov 21, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The issue has finally been resolved. Turns out there was yet another config controlling the settings (/etc/bashrc) .

    To confirm, the configs were changed to:
    Code:
    ##########
    #cPanel Added Limit Protections -- BEGIN
    setenv LIMITUSER $USER
    if ( -e /usr/bin/whoami ) then
            setenv LIMITUSER `whoami`
    endif
    if ( "$LIMITUSER" == "admin" ) then
            limit descriptors 100
            limit maxproc 1024
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else if ( "$LIMITUSER" != "root" ) then
            limit descriptors 100
            limit maxproc 45
            limit memoryuse 200000
            limit datasize 200000
            limit stacksize 8192
            limit coredumpsize 200000
    else
            limit descriptors 4096
            limit maxproc 14335
            limit memoryuse unlimited
    :q        limit datasize unlimited
            limit stacksize 8192
            limit coredumpsize 1000000
    endif
    #cPanel Added Limit Protections -- END
    ##########
    And the overriding systemwide bash config:
    Code:
    #cPanel Added Limit Protections -- BEGIN
    
    #unlimit so we can run the whoami
    ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    
    LIMITUSER=$USER
    if [ -e "/usr/bin/whoami" ]; then
            LIMITUSER=`/usr/bin/whoami`
    fi
    if [ "$LIMITUSER" == "admin" ]; then
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    elif [ "$LIMITUSER" != "root" ]; then
            ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null
    else
            ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
    fi
    #cPanel Added Limit Protections -- END
     
Loading...

Share This Page