www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hardie <ch...@summersault.com>
Subject suexec/6017: RLimitNPROC doesn't work with suexec
Date Fri, 21 Apr 2000 13:11:16 GMT

>Number:         6017
>Category:       suexec
>Synopsis:       RLimitNPROC doesn't work with suexec
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Apr 21 06:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     chris@summersault.com
>Release:        1.3.11 (Unix) suexec
>Organization:
apache
>Environment:
FreeBSD 3.3-RELEASE #0
>Description:
The documentation indicates that RLimitNPROC, RLimitCPU, and RLimitMEM should be used to limit
the resources available to CGI (and SSI) processes spawned by Apache.  However, when using
these directives in conjunction with suexec, they seem to have no effect.  The clearest manifestation
of this is when someone decides to reload a CGI page 60 times and our entire webserver crashes,
an undesirable behavior.

Strangely, when one runs "limits" from the CGI script and dumps the output to screen, the
limits are in line with what was set by the RLimit* directives.  But, as indicated, they have
no actual effect on the CGI processes.
>How-To-Repeat:
I'd rather not tell you how to take down our server (which I'm sure you could do anyway),
but if you were to set up an suexec server with a virtual host that had a CGI script running
as a system user (i.e. not root/nobody/www) that did something significant (opened a file,
made a database call, loaded a large module), and then hit reload for that page on your browser
20 times, you'd see what I mean.
>Fix:
I don't have one, I'm sorry.  It seems there have been several other folks reporting similar
problems, but with no resolution (PR#s 5901, 4551, 3482, etc).  The best general goal I can
propose is "make the RLimit directives work with suexec".  If not that, could someone PLEASE
just come right out and say "this is a problem we know about", perhaps put it in the documentation?
 Thanks.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message