Security limits.conf email/syslog notifications

clintonm9 · 05-06-2012, 10:54 AM

I have setup /etc/security/limits.conf to limit all human users to just be able to run 50 process to help prevent fork bombs.

@users hard nproc 50

When testing this works great:

){ :|:& };:
I now see -bash: fork: Resource temporarily unavailable

same thing with perl
perl -e "while(1) {fork(); }"

the problem is I need to get alerts if these limits are reached.

I have search and can not find any way to get notified. I dont see any entries being logged to syslog either.

Any thoughts?
Thanks!

clintonm9 · 05-06-2012, 09:42 PM

So I have setup a maximum number of processes a user can have in /etc/security/limits.conf

testuser hard nproc 16

When logging into the user I am limited to 16 processes (this is all bash base).

Then when I sudo -s into the root account the limit is now removed (This is what I want!)

When i start apache I now get this error:
[Sun May 06 21:34:39 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48

If I remove the testuser line from limits.conf it fixes the issues.

Any ideas why this limit is casing this when the root user is not inheriting the testuser limit on the shell? The apache user should also not be limited in any way.

em31amit · 05-07-2012, 05:57 AM

alerts ?? are you talking about /var/log/messages file ? or any monitoring tool ?

heinblöd · 05-07-2012, 07:41 AM

very likely you limited the apache user (uid 48 = apache ? I guess ?) to fewer processes than apache needs to start up.
Or some error in the limits doesn't allow apache to drop it's root priviliges after startup

Why do you want to limit a service with pam ?

clintonm9 · 05-07-2012, 10:14 AM

I am not limiting apache. Apache is not in the users group. That is what is weird about this.

clintonm9 · 05-07-2012, 11:35 AM

I would like an email when this limit is reached. But writing to /var/log/message would be fine as well, but it doesnt do that with the default setup

heinblöd · 05-07-2012, 03:21 PM

But if your limits file contains any errors it may affect all users.

For me it looks like apache can't drop it's root privileges and change to the apache user.

But without more details about your user ids and limits file, no-one can help ...

clintonm9 · 05-07-2012, 11:25 PM

I have had no issues recreating on other centos boxes:

the only entry in the limits.conf file are these two:
* hard core 0
@users hard nproc 50

/etc/group
users:x:100:testuser
apache:x:48:

Set httpd.conf to have more than 50 child and make sure the office/group is apache
<IfModule prefork.c>
StartServers 70
.....

Then login to testuser (make sure you re login after the changes to the limits file) and sudo -s to root.
now try and start apache. It might looks like it starts but check the error log or do status on the httpd service

It just seems like it is some how taking the limit from the testuser and applying it to starting apache as root?

heinblöd · 05-08-2012, 06:50 AM

I guess the problem is the

Quote:

* hard core 0

line which avoids file creation at all .

When I get it right, there are some issues with Pam and Apache
Maybe those two links can help you :

http://forums.gentoo.org/viewtopic-t...ex+apache.html
http://www.cyberciti.biz/faq/linux-disable-core-dumps/

colucix · 05-12-2012, 09:05 AM

Moderator note: please keep discussion on the same topic in one place. Two strictly related threads have been merged here.

techguru666 · 10-08-2012, 10:11 PM

This link might be useful for fork bomb and limiting the number of processes by using limits:
http://www.expertslogin.com/tip-for-...-user-process/