You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/08/31 05:20:15 UTC
[Bug 56901] New: Fork bomb is available!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
Bug ID: 56901
Summary: Fork bomb is available!
Product: Apache httpd-2
Version: 2.2.27
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_fcgid
Assignee: bugs@httpd.apache.org
Reporter: nyanhost@gmail.com
Hello!
Fork bomb's not working in the shell.
Limits in `/etc/security/limits.conf` are working.
@users soft nproc 50
@users hard nproc 60
@apache soft nproc 500
@apache hard nrpoc 600
* soft nproc 1900
* hard nproc 2000
If I run Perl or Python or PHP or Bash scripts in the shell, then I get
message:
Unable to fork: Resource temporarily unavailable
Is ok!
But If I run these scripts in the apache then fork bomb's are working!
Example Python script:
test.py:
#!/usr/bin/python
import os
while True:
os.fork()
End script.
Shell output:
File "./test.py", line 5, in <module>
os.fork()
OSError: [Errno 11] Resource temporarily unavailable
Apache output... create 25000+ processes
But I have line in the limits.conf:
* hard nproc 2000
Well then processes forking from root?
httpd.conf:
User apache
Group apache
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #2 from Eric Covener <co...@gmail.com> ---
mod_fcgid doesn't appear to allow setting rlimits from within httpd.
I recall from some other issues that the usage of /etc/limits.conf on Linux
with PAM is not very intuitive and is not simply ever-present because you have
a *:
"""
IMHO this explains it as limits.conf is a configuration file for PAM. If you
don't use any PAM methods (haven't worked out which would be needed) in the
code the limits will not be applied after setuid. Of course pam_limits.so need
to be configured for session for your app as well.
"""
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #6 from Demidov Andrei <ny...@gmail.com> ---
I added ulimit -u 256 in init.d script and restart it.
This limit method is working.
Sorry for my panic and my english.
Thank you!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #7 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Demidov Andrei from comment #5)
> (In reply to Ruediger Pluem from comment #4)
> > How do you start httpd? Via init.d script or from a root shell?
> httpd autostarting via init.d, but I can sometimes restart it from root
If you start from init.d limits.conf settings will not apply.
> shell.
>
> > How do you login to this shell? Via console or via ssh?
> Via console, example PHP scripts (shell_exec):
> <?php
> shell_exec('ulimit -a');
> ?>
I meant the shell that you use to start httpd, not the one executing the
script.
>
> > What does ulimit -u / ulimit -u -H tell you in this shell?
> Output previous script:
> max user processes (-u) 256971
>
> > What does /proc/<pid>/limits tell you for all httpd processes?
> apache 611 0.0 0.0 180488 4524 ? S 15:02 0:00
> /usr/sbin/httpd
>
> [root@s1 /]# cat /proc/611/limits
> Limit Soft Limit Hard Limit Units
> Max cpu time unlimited unlimited seconds
> Max file size unlimited unlimited bytes
> Max data size unlimited unlimited bytes
> Max stack size 10485760 unlimited bytes
> Max core file size unlimited unlimited bytes
> Max resident set unlimited unlimited bytes
> Max processes 256971 256971 processes
> Max open files 1024 4096 files
> Max locked memory 65536 65536 bytes
> Max address space unlimited unlimited bytes
> Max file locks unlimited unlimited locks
> Max pending signals 256971 256971 signals
> Max msgqueue size 819200 819200 bytes
> Max nice priority 0 0
> Max realtime priority 0 0
> Max realtime timeout unlimited unlimited us
>
> Processes not limited...
I assume this one was started via init.d
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #4 from Ruediger Pluem <rp...@apache.org> ---
How do you start httpd? Via init.d script or from a root shell?
What does ulimit -u / ulimit -u -H tell you in this shell?
How do you login to this shell? Via console or via ssh?
What does /proc/<pid>/limits tell you for all httpd processes?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #5 from Demidov Andrei <ny...@gmail.com> ---
(In reply to Ruediger Pluem from comment #4)
> How do you start httpd? Via init.d script or from a root shell?
httpd autostarting via init.d, but I can sometimes restart it from root shell.
> How do you login to this shell? Via console or via ssh?
Via console, example PHP scripts (shell_exec):
<?php
shell_exec('ulimit -a');
?>
> What does ulimit -u / ulimit -u -H tell you in this shell?
Output previous script:
max user processes (-u) 256971
> What does /proc/<pid>/limits tell you for all httpd processes?
apache 611 0.0 0.0 180488 4524 ? S 15:02 0:00 /usr/sbin/httpd
[root@s1 /]# cat /proc/611/limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 10485760 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 256971 256971 processes
Max open files 1024 4096 files
Max locked memory 65536 65536 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 256971 256971 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Processes not limited...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #1 from Demidov Andrei <ny...@gmail.com> ---
Apache makes the fork on UID user.
Normal process:
testuser 21296 0.0 0.0 443680 23488 ? S 11:24 0:00
/usr/php/bin/php-cgi php
Fork process:
524 19788 0.1 0.0 538228 27928 ? S 11:23 0:00
/usr/php/bin/php-cgi php
Fork process don't limiting in the limits.conf :(
How to prevent fork attack?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56901] Fork bomb is available!
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56901
--- Comment #3 from Demidov Andrei <ny...@gmail.com> ---
Eric, Thank you for answer!
So what methods exists for solution it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org