[Bug 394350] Re: RLimitCPU has no effect in Apache
I was asked privately whether I found a solution. We wasted too much time trying to convince people that we had a credible problem report, and then it seemed that no one was prepared to actually do anything with the information. After that time waste, we decided to give up on RLimitCPU on Ubuntu, and focused our energies elsewhere. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/394350 Title: RLimitCPU has no effect in Apache -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] Re: RLimitCPU has no effect in Apache
Here is the virtual host config from the procedure documented in: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/394350/comments/15 It is file: /etc/apache2/sites-available/default ** Attachment added: default http://launchpadlibrarian.net/29096236/default -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] Re: RLimitCPU has no effect in Apache
I have just reproduced the problem with a fresh install with latest updates, and kept a detailed log as I did so. Perhaps someone can spot something I am doing wrong? I would assume that I'm doing something wrong, except comparable things work on Debian and with upstream, and my users also experienced the problem independently before I did. A fresh pair of eyes on this would be appreciated! * Download Ubuntu Server 8.04.2 for i386, and burn it to a CD-R. I used the following, as fetched on 2009-07-01: http://ftp-mirror.internap.com/pub/ubuntu-releases/hardy/ubuntu-8.04.2-server-i386.iso * Use machine IBM/Lenovo ThinkPad T60 with Intel Core Duo (32-bit X86). (Note that we have also observed the same behavior on 64-bit server hardware.) * Plug machine into Ethernet. * Boot the CD-R and do the following: * Language: English * From CD boot menu, select: Check CD for defects. Result: The CD-ROM integrity test was successful. The CD-ROM is valid. Reboot system. * Language: English * From CD boot menu, select: Test memory. Reboot after a lot of successful testing passing. * Language: English * From CD boot menu, select: Install Ubuntu Server. * Choose language: English * Country: United States * Detect keyboard layout: No. * Keyboard origin: USA * Keyboard layout: USA * Wait for some device scanning and installing and DHCP. * Hostname: myserver * Time zone: Eastern * Partition disks: Guided - use entire disk. Write changes to disk. * Wait for partitioning and fs creation. * Full name of new user: John Smith * Username: john * Supply password. * No HTTP proxy. * Additional software selection: OpenSSH server * Wait, then remove CD when ejected, then let reboot. * SSH into myserver as john from another machine. Subsequent commands are in this shell unless otherwise specified. * sudo su - * apt-get update * apt-get upgrade * Note that the following packages are upgraded (at approx. 10pm EDT 2009-07-10): apparmor apparmor-utils apt apt-utils base-files cpp-4.2 cron dash file gcc-4.2-base initscripts installation-report libcurl3-gnutls libgcc1 libgnutls13 libkrb53 libldap-2.4-2 libmagic1 libsasl2-2 libsasl2-modules libssl0.9.8 libstdc++6 libvolume-id0 linux-image-2.6.24-23-server linux-ubuntu-modules-2.6.24-23-server lsb-base lsb-release ntpdate python-apt sudo sysv-rc sysvutils tasksel tasksel-data tzdata udev update-manager-core * shutdown -r now * Wait for reboot. * SSH into myserver as john from another machine. Subsequent commands are in this shell unless otherwise specified. * sudo su - * apt-get install apache2 * Create file /usr/lib/cgi-bin/forever with the contents: CUT HERE #!/bin/sh echo Content-Type: text/html echo echo BEFORE while true ; do expr 1 + 1 /dev/null done echo AFTER CUT HERE * chmod 0755 /usr/lib/cgi-bin/forever * /etc/init.d/apache2 stop * Edit /etc/apache2/sites-available/default to add an erroneous directive to the top of the file: XXX * /etc/init.d/apache2 start * Verify that the start failed because of the erroneous directive, which confirms this config file really is being used. * Edit /etc/apache2/sites-available/default to remove the erroneous XXX directive. Below the ServerAdmin directive line, add the directive: RLimitCPU 2 2 * /etc/init.d/apache2 start * From a Web browser, access forever CGI (using the appropriate address): http://192.168.1.79/cgi-bin/forever * Observe that BEFORE appears, and the HTTP connection remains open and loading. * Determine PID of the forever process (in this case 5179). ps auxwf | grep forever * cat /proc/5179/limits CUT HERE cat /proc/5179/limits Limit Soft Limit Hard Limit Units Max cpu time unlimitedunlimitedms Max file size unlimitedunlimitedbytes Max data size unlimitedunlimitedbytes Max stack size8388608 unlimitedbytes Max core file size0unlimitedbytes Max resident set unlimitedunlimitedbytes Max processes 2456624566processes Max open files1024 1024 files Max locked memory 3276832768bytes Max address space unlimitedunlimitedbytes Max file locksunlimitedunlimitedlocks Max pending signals 2456624566signals Max msgqueue size 819200 819200 bytes Max nice priority 00 Max realtime priority 00 CUT HERE * Observe that CPU
[Bug 394350] Re: RLimitCPU has no effect in Apache
Why is the status of this still Incomplete? I realize that the holiday weekend here in the US probably interrupted work, but it's now almost a week idling on what appears to be an Ubuntu- specific security/stability problem for Apache servers. I really need to know if Ubuntu has an imminent solution. I can't tell whether anyone of the dozens of people copied on this bug has tried to reproduce the problem yet. I'm afraid this problem and then lack of response is seriously damaging my users' confidence in Ubuntu Server, after they recently switched to it. Thank you. -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] Re: RLimitCPU has no effect in Apache
* Simply take a fresh Ubuntu 8.04 install (which gets Apache 2.2.8), add RLimitCPU 2 2 to the default Apache site file, drop the script above into the cgi-bin dir, and run the CGI. You'll see that the CGI process is *not* killed. * Do the same thing on a Debian stable system (which gets Apache 2.2.9), and the CGI process *is* killed. * Rig up a build of upstream Apache 2.2.8 (no Ubuntu patches) to use esssentially the same config file tree as a fresh Ubuntu 8.04 install (and running on the same Ubuntu 8.04 installed system), and the CGI process *is* killed. At this point, unless I made a mistake while troubleshooting, the problem appears to be in Ubuntu-specific patches to Apache. -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] Re: RLimitCPU has no effect in Apache
(I had not seen Kees Cook's failure to reproduce before I posted my last message.) I have just reproduced the problem with a fresh install of 9.04 on an X86 box. (I do not have a fresh 8.04 install at the moment.) I am at a loss to explain why Kees Cook could not reproduce the problem. I wonder whether he was using a fresh install of an LTS version, or some other configuration. I request that this bug be reopened. -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] Re: RLimitCPU has no effect in Apache
I just verified that Ubuntu's 9.04's packaging of Apache 2.2.11 also exhibits this problem. Looking through the Ubuntu patches to upstream Apache 2.2.8 (where we initially noticed the problem), I haven't yet found an obvious cause. The people who did the packaging or patches on this would be able to debug this faster than me. Otherwise, I'll have to start tracing through unfamiliar Apache source to debug it that way. -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 394350] Re: RLimitCPU has no effect in Apache
Chuck Short wrote at 07/02/2009 09:51 AM: Do you have a script or a cgi that tests this bug? The following cgi-bin script can be used to trigger RLimitCPU in a correctly functioning Apache. Setting the limits to 2 seconds of CPU time typically permits around 10 seconds of real time to watch the time grow in top. On a correctly functioning Apache, the process terminates shortly after 2 seconds of CPU time are incurred. Thanks. #!/bin/sh echo Content-Type: text/html echo echo BEFORE while true ; do expr 1 + 1 /dev/null done echo AFTER -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 394350] [NEW] RLimitCPU has no effect in Apache
*** This bug is a security vulnerability *** Public security bug reported: Binary package hint: apache2 The Apache RLimitCPU directive has no effect on in the Ubuntu packaging of Apache 2.2.8. We have reproduced this problem on multiple Ubuntu 8.04 systems, including a freshly-installed one. We have verified that it *does* work on the same machine when using an unmodified upstream source build of 2.2.8. We have also verified that it works on Debian stable (using Debian packaging of Apache 2.2.9). This arguably constitutes a DoS security vulnerabilitys, since the Ubuntu packaging of Apache is not preventing a runaway process from taking down the server as a correctly operating Apache (including upstream) does. The cause appears to be in either Ubuntu-specific (or Debian-specific) patches to 2.2.8 in the Ubuntu/Debian-specific configuration setup in Ubuntu packaging of 2.2.8. If the problem can be fixed in the Ubuntu packaging of Apache as an update to 8.04, so that we could use it on our server, that would be great. Otherwise, we will have to move to a build of upstream Apache or move away from Ubuntu. Thank you. Description:Ubuntu 8.04.2 Release:8.04 ii apache2 2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server ii apache2-mpm-worker 2.2.8-1ubuntu0.9 High speed threaded model for Apache HTTPD ii apache2-utils 2.2.8-1ubuntu0.9 utility programs for webservers ii apache2.2-common2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs