We take advantage of Linux's ulimit facility to limit user process' use of particular system resources. See DaemonFileSecurity for information on disk usage limits.
1. Login and cron jobs
Login shells and cron jobs inherit the limits from /etc/security/limits.conf, via PAM. We currently impose these limits, where "n/m" means "soft limit n and hard limit m":
as 100000/500000. This limits how much virtual memory processes can allocate. Without this, run-away processes can use up all of the memory in the system and cause daemons to start crashing due to out-of-memory errors.
nproc 10/20. Creating an unbounded number of processes is bad, so here we limit the maximum number of processes you may own concurrently.
These settings are mostly designed assuming friendly users who sometimes make mistakes and create run-away processes. We may need to make the limits more stringent in the future.
We use a patched version of Apache 2 suexec that imposes the following restrictions on script execution:
- It sets some ulimits. Currently, it limits process count to 100 and memory usage to 100 MB.
It waits up to 10 seconds for the script to execute before killing it and its children. The child-killing business is accomplished by putting the initial script process into a new process group, and then later using pkill -g on that process' pid if the time-out is reached.
No doubt we'll be tweaking these parameters based on experience.
We've modified suphp in the same way, so your PHP scripts run with process count, memory, and time limitations, and will be killed if they exceed them.