We use a patched version of Apache 2 suexec that imposes the following restrictions on script execution:
- It sets some ulimits. Currently, it limits process count to 100 and memory usage to 100 MB.
It waits up to 10 seconds for the script to execute before killing it and its children. The child-killing business is accomplished by putting the initial script process into a new process group, and then later using pkill -g on that process' pid if the time-out is reached.
No doubt we'll be tweaking these parameters based on experience.