Received: (qmail 37260 invoked by uid 501); 21 Apr 2000 13:11:16 -0000 Message-Id: <20000421131116.37257.qmail@locus.apache.org> Date: 21 Apr 2000 13:11:16 -0000 From: Chris Hardie Reply-To: chris@summersault.com To: submit@bugz.apache.org Subject: RLimitNPROC doesn't work with suexec X-Send-Pr-Version: 3.110 >Number: 6017 >Category: suexec >Synopsis: RLimitNPROC doesn't work with suexec >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Apr 21 06:20:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: chris@summersault.com >Release: 1.3.11 (Unix) suexec >Organization: apache >Environment: FreeBSD 3.3-RELEASE #0 >Description: The documentation indicates that RLimitNPROC, RLimitCPU, and RLimitMEM should be used to limit the resources available to CGI (and SSI) processes spawned by Apache. However, when using these directives in conjunction with suexec, they seem to have no effect. The clearest manifestation of this is when someone decides to reload a CGI page 60 times and our entire webserver crashes, an undesirable behavior. Strangely, when one runs "limits" from the CGI script and dumps the output to screen, the limits are in line with what was set by the RLimit* directives. But, as indicated, they have no actual effect on the CGI processes. >How-To-Repeat: I'd rather not tell you how to take down our server (which I'm sure you could do anyway), but if you were to set up an suexec server with a virtual host that had a CGI script running as a system user (i.e. not root/nobody/www) that did something significant (opened a file, made a database call, loaded a large module), and then hit reload for that page on your browser 20 times, you'd see what I mean. >Fix: I don't have one, I'm sorry. It seems there have been several other folks reporting similar problems, but with no resolution (PR#s 5901, 4551, 3482, etc). The best general goal I can propose is "make the RLimit directives work with suexec". If not that, could someone PLEASE just come right out and say "this is a problem we know about", perhaps put it in the documentation? Thanks. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]