User killed the server with php-cli. Shell fork bomb protection not working?

[Clouseau]

Hello, today one of my users run this:

/opt/cpanel/ea-php73/root/usr/bin/php-cgi -f test.php

and it was run over 2500 times at the same time and then the server run out of memory and started to kill mysql, bind etc. Shell fork bomb protection is enabled. Can I limit this somehow?

grep test.php ps.output |wc -l

2544

 

[Clouseau]

This is what I get when I login as user account. User has jailshell enabled btw, not normal shell. Is that the cause why protection is not working?

su - user -s /bin/bash

ulimit -a
core file size          (blocks, -c) 200000
data seg size           (kbytes, -d) 200000
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 95607
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) 200000
open files                      (-n) 100
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 35
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

This is the default in server:

cat /etc/security/limits.d/20-nproc.conf
# Default limit for number of user's processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.

*          soft    nproc     4096
root       soft    nproc     unlimited

As the user killed server with 2500 processes, I should lower the 4096 value or add new value:

useraccount soft nproc 256

 

[Clouseau]

If I create script test.php with following content:

<?php echo exec('php -m'); ?>

and call it over URL http://www.domain.com/test.php it will start spawning bunch of processes and eating all the ram on the server. How is this possible? Is this a bug in suPHP module?

user 107442 21.0 0.0 389044 18264 ? S 17:53 0:00 /opt/cpanel/ea-php73/root/usr/bin/php-cgi -m
user 107459 7.0 0.0 389044 18264 ? S 17:53 0:00 /opt/cpanel/ea-php73/root/usr/bin/php-cgi -m
user 107465 3.0 0.0 389044 18268 ? S 17:53 0:00 /opt/cpanel/ea-php73/root/usr/bin/php-cgi -m
user 107476 2.0 0.0 389044 18260 ? S 17:53 0:00 /opt/cpanel/ea-php73/root/usr/bin/php-cgi -m
user 107478 3.0 0.0 389044 18264 ? S 17:53 0:00 /opt/cpanel/ea-php73/root/usr/bin/php-cgi -m
....

 

[cPanelAaronH]

Hey there,

You are correct that fork bomb protection should prevent this, Shell Fork Bomb Protection | cPanel & WHM Documentation.

I also do not see anything mentioned as far as Jailshell not working with Fork bomb being enabled. VirtFS Jailed Shell | cPanel & WHM Documentation

If you're still facing issues with this, feel free to open a ticket with our support team and we can take a look.