The purpose of /etc/profile.d/limit.sh

s2s

• February 06, 2014 05:02

Can I ask what is the purpose of /etc/profile.d/limit.sh (and /etc/profile.d/limit.sch) ? Linux already has /etc/security/limit.conf (and any individual profiles under /etc/profile.d/ ) for configuring systemwide limits. Also, why are all users other than root assigned a measly nproc limit of 35? I have a VPS that runs mail / web / ftp and I each time I try to SSH in using the hosting account user I get bash: fork: Resource temporarily unavailable
ps shows about 30 instances of dovecot/imapd running (which would be about right for the number of mail accounts connecting). ...so this would leave the user with only 5 more process forks? I have tried increasing this limit to a more sensible limit but nothing seems to work. Are there any other hidden configs/scripts that cPanel uses to control ulimit? I have edited /etc/security/limit.conf, /etc/profile.d/limit.sh, /etc/profile.d/limit.sh and /etc/profile.d/limit.sch - rebooted and still the user is limited to nproc 35.

• 

  cPanelMichael

  • February 06, 2014 15:22

  Hello :) Check to see if shell fork bomb protection is enabled via: "WHM Home " Security Center " Shell Fork Bomb Protection" Thank you.

  0
• 

  s2s

  • February 06, 2014 15:36

  Hi Michael, Yes it is enabled. Doesn't this still allow modifying the ulimit?

  0
• 

  cPanelMichael

  • February 06, 2014 16:03

  You can manually modify the settings imposed by shell fork bomb protection using the instructions from this post: Shell Fork Bomb Protection Exceptions Thank you.

  0
• 

  s2s

  • February 11, 2014 10:44

  [quote="cPanelMichael, post: 1565961">You can manually modify the settings imposed by shell fork bomb protection using the instructions from this post: Shell Fork Bomb Protection Exceptions Thank you.
  Hi Michael, Thanks, I have edited the /etc/profile file and have scheduled a reboot. I noticed this is exactly the same as /etc/profile.d/limits.sh (and /etc/profile.d/limits.csh in C) - can I ask why so many exist and their purpose? I have now edited: /etc/security/limit.conf admin soft nofile 4096 admin hard nofile 10240
  /etc/security/limits.d/90-nproc.conf admin soft nproc 1024 admin hard nproc 2048
  /etc/profile.d/limit.sh #cPanel Added Limit Protections -- BEGIN #unlimit so we can run the whoami ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=`/usr/bin/whoami` fi if [ "$LIMITUSER" != "root" ]; then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null elif [ "$LIMITUSER" = "admin" ]; then ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev$ fi #cPanel Added Limit Protections -- END
  /etc/profile.d/limit.sch #cPanel Added Limit Protections -- BEGIN setenv LIMITUSER $USER if ( -e /usr/bin/whoami ) then setenv LIMITUSER `whoami` endif if ( "$LIMITUSER" != "root" ) then limit descriptors 100 limit maxproc 35 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else if ( "$LIMITUSER" = "admin" ) then limit descriptors 100 limit maxproc 1024 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else limit descriptors 4096 limit maxproc 14335 limit memoryuse unlimited limit datasize unlimited limit stacksize 8192 limit coredumpsize 1000000 endif #cPanel Added Limit Protections -- END
  /etc/profile ........... #unlimit so we can run the whoami ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=`/usr/bin/whoami` fi if [ "$LIMITUSER" != "root" ]; then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null elif [ "$LIMITUSER" = "admin" ]; then ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/$ fi #cPanel Added Limit Protections -- END
  

  0
• 

  s2s

  • February 12, 2014 08:27

  OK so the system rebooted last night and still today the nproc limit is 35 ? [admin@myvps ~]$ ulimit -u 35
  So there must be some other configuration or script that is controlling this (along with / apart from the other 5).

  0
• 

  cPanelMichael

  • February 12, 2014 15:51

  Feel free to open a support ticket if you want us to take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  s2s

  • February 13, 2014 14:03

  Hi Michael, Ticket number: 4566359 Edit: if you really need access, let me know (I refused it initially)

  0
• 

  cPanelMichael

  • February 14, 2014 14:12

  To update, the /etc/profile.d/limits.csh file was updated to: ########## #cPanel Added Limit Protections -- BEGIN setenv LIMITUSER $USER if ( -e /usr/bin/whoami ) then setenv LIMITUSER `whoami` endif if ( "$LIMITUSER" = "admin" ) then limit descriptors 100 limit maxproc 1024 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else if ( "$LIMITUSER" != "root" ) then limit descriptors 100 limit maxproc 35 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else limit descriptors 4096 limit maxproc 14335 limit memoryuse unlimited limit datasize unlimited limit stacksize 8192 limit coredumpsize 1000000 endif #cPanel Added Limit Protections -- END ##########
  Thank you.

  0
• 

  s2s

  • February 20, 2014 11:35

  OK so I configured the change and scheduled a reboot - the limit still remains the same. [admin@442248 ~]$ ulimit -u 35 [admin@442248 ~]$ cat /etc/profile.d/limits.csh ########## #cPanel Added Limit Protections -- BEGIN setenv LIMITUSER $USER if ( -e /usr/bin/whoami ) then setenv LIMITUSER `whoami` endif if ( "$LIMITUSER" = "admin" ) then limit descriptors 100 limit maxproc 1024 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else if ( "$LIMITUSER" != "root" ) then limit descriptors 100 limit maxproc 35 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else limit descriptors 4096 limit maxproc 14335 limit memoryuse unlimited limit datasize unlimited limit stacksize 8192 limit coredumpsize 1000000 endif #cPanel Added Limit Protections -- END ##########
  Now that I realise the error in my logic I will go back and apply the changes to all previously mentioned file, in the hope that one of them actually controls this setting.

  0
• 

  s2s

  • February 21, 2014 09:43

  Nope, still not working. [admin@442248 ~]$ ulimit -u 35 [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable [admin@442248 ~]$ cat /etc/security/limit.conf | grep admin -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable
  Is it worthwhile re-opening the ticket I submitted? [COLOR="silver">- - - Updated - - - Here are all the configs: [root@442248 ~]# cat /etc/security/limits.conf | grep admin admin soft nofile 1024 admin hard nofile 2048 [root@442248 ~]# cat /etc/security/limits.d/90-nproc.conf | grep admin admin soft nproc 1024 admin hard nproc 2048 [root@442248 ~]# cat /etc/profile.d/limits.sh #cPanel Added Limit Protections -- BEGIN #unlimit so we can run the whoami ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=`/usr/bin/whoami` fi if [ "$LIMITUSER" = "admin" ]; then ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null elif [ "$LIMITUSER" != "root" ]; then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null fi #cPanel Added Limit Protections -- END [root@442248 ~]# cat /etc/profile.d/limits.csh ########## #cPanel Added Limit Protections -- BEGIN setenv LIMITUSER $USER if ( -e /usr/bin/whoami ) then setenv LIMITUSER `whoami` endif if ( "$LIMITUSER" = "admin" ) then limit descriptors 100 limit maxproc 1024 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else if ( "$LIMITUSER" != "root" ) then limit descriptors 100 limit maxproc 35 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else limit descriptors 4096 limit maxproc 14335 limit memoryuse unlimited limit datasize unlimited limit stacksize 8192 limit coredumpsize 1000000 endif #cPanel Added Limit Protections -- END ########## [root@442248 ~]# cat /etc/profile # /etc/profile # System wide environment and startup programs, for login setup # Functions and aliases go in /etc/bashrc # It's NOT a good idea to change this file unless you know what you # are doing. It's much better to create a custom.sh shell script in # /etc/profile.d/ to make custom changes to your environment, as this # will prevent the need for merging in future updates. pathmunge () { case ":${PATH}:" in *:"$1":*) ;; *) if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi esac } if [ -x /usr/bin/id ]; then if [ -z "$EUID" ]; then # ksh workaround EUID=`id -u` UID=`id -ru` fi USER="`id -un`" LOGNAME=$USER MAIL="/var/spool/mail/$USER" fi # Path manipulation if [ "$EUID" = "0" ]; then pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin else pathmunge /usr/local/sbin after pathmunge /usr/sbin after pathmunge /sbin after fi HOSTNAME=`/bin/hostname 2>/dev/null` HISTSIZE=1000 if [ "$HISTCONTROL" = "ignorespace" ] ; then export HISTCONTROL=ignoreboth else export HISTCONTROL=ignoredups fi export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL # By default, we want umask to get set. This sets it for login shell # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-*/uidgid file if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then umask 002 else umask 022 fi for i in /etc/profile.d/*.sh ; do if [ -r "$i" ]; then if [ "${-#*i}" != "$-" ]; then . "$i" else . "$i" >/dev/null 2>&1 fi fi done unset i unset pathmunge #cPanel Added local::lib -- BEGIN LOCALLIBUSER=$USER if [ -e "/usr/bin/whoami" ]; then LOCALLIBUSER=`/usr/bin/whoami` fi if [ "$LOCALLIBUSER" != "root" ]; then eval $(perl -Mlocal::lib) fi #cPanel Added local::lib -- END #cPanel Added Limit Protections -- BEGIN #unlimit so we can run the whoami ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=`/usr/bin/whoami` fi if [ "$LIMITUSER" = "admin" ]; then ulimit -n 100 -u 1024 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null elif [ "$LIMITUSER" != "root" ]; then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null fi #cPanel Added Limit Protections -- END
  

  0
• 

  cPanelMichael

  • February 21, 2014 14:57

  Yes, please reply to the existing ticket that you opened for further assistance. Thank you.

  0
• 

  s2s

  • February 25, 2014 08:46

  Hi Michael, I have re-opened the ticket for further investigation. May I note one thing - almost exactly one week after opening the ticket with cPanel Support I start receiving extrememly high volume of SMTPauth failure attacks. Normally our server would report roughly 1 - 2 per month, but since the ticket opening, our server has been reporting 20 per day (all to the same account provided in the support ticket). I'm not placing any blame, just covering all bases. May be worth doing a check on the support system (encryption, etc)? Keith

  0
• 

  cPanelMichael

  • February 25, 2014 18:38

  I don't suspect it's at all related to the support ticket, but free to mention that note in the ticket and one of our analysts will address it. Thank you.

  0
• 

  s2s

  • March 10, 2014 10:02

  The issue has finally been resolved. Turns out there was yet another config controlling the settings (/etc/bashrc) . To confirm, the configs were changed to: ########## #cPanel Added Limit Protections -- BEGIN setenv LIMITUSER $USER if ( -e /usr/bin/whoami ) then setenv LIMITUSER `whoami` endif if ( "$LIMITUSER" == "admin" ) then limit descriptors 100 limit maxproc 1024 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else if ( "$LIMITUSER" != "root" ) then limit descriptors 100 limit maxproc 45 limit memoryuse 200000 limit datasize 200000 limit stacksize 8192 limit coredumpsize 200000 else limit descriptors 4096 limit maxproc 14335 limit memoryuse unlimited :q limit datasize unlimited limit stacksize 8192 limit coredumpsize 1000000 endif #cPanel Added Limit Protections -- END ##########
  And the overriding systemwide bash config: #cPanel Added Limit Protections -- BEGIN #unlimit so we can run the whoami ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null LIMITUSER=$USER if [ -e "/usr/bin/whoami" ]; then LIMITUSER=`/usr/bin/whoami` fi if [ "$LIMITUSER" == "admin" ]; then ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null elif [ "$LIMITUSER" != "root" ]; then ulimit -n 100 -u 35 -m 200000 -d 200000 -s 8192 -c 200000 -v unlimited 2>/dev/null else ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null fi #cPanel Added Limit Protections -- END
  

  0

Please sign in to leave a comment.