include() fork bomb

Pileofrogs

I'm a sysadmin who runs an apache server with PHP. Recently, one of my users accidentally created a fork bomb by creating a php file that includes itself. Is there a way to detect when someone has done this and prevent it from infininite recursion?

Thanks!

bradgrafelman

Switch include() to [man]include_once/man
Don't let any one process grow to become an excessively large load on the CPU.
Find the irresponsible programmer(s), beat them senseless, and ask that from now on they only save their work in a very special folder: /dev/null

MarkR

Did they include by URL or by file path?

If they included by file path, this would have caused PHP to repeatedly include the same file until it got bored (unless any functions or constants were defined in the include, in which case it would fail with a fatal immediately). This would not have caused any load issue.

If they included by URL, then it may have appeared as a "fork bomb". This indicates that your Apache MaxClients is set too high.

Don't set Apache MaxClients higher than your machine has resource for and/or you need. In most cases this means no more than about 50.

Setting MaxClients to 1000 etc (especially on prefork MPM which is FAR less memory efficient than worker), is stupid.

Once you upgrade to PHP 5.2, you can disable inclusion via URL (indeed, it is disabled by default). Until then you have to tell people not to use it.

Perhaps you can grep for

include("http://

or similar and find those pages and mail the irresponsible authors.

Another possibility is to set up IP address restrictions to prevent your web server connecting to itself.

Mark

Pileofrogs

Awesome! Thanks.

I'll lower the max clients and tell my users to stop using include by ur.

Your IP limit idea is great. Here's my take on it.

I can use mod_rewrite to detect anything that (1) refers to itself and (2) comes from localhost and redirect it to an error page that tells people about avoiding infinite recursion.

MarkR

The IP limit thing is going to be very easy. There's no need for mod_rewrite, you can do it just with "Allow from" and "Deny from" directives in httpd.conf.

You can deny access from localhost and the local machine's IP address, in which case any self-referential requests made by PHP will fail with a 403 (PHP will produce a suitable warning I should think).

Mark

Pileofrogs

There are legitimate reasons for requests from localhost, so I don't want to block them all. Plus, with mod_rewrite I can give users a helpfull error message.

Update
There is no HTTP_REFERER sent when a php script includes a file by URL. That means blocking requests from localhosts might be my only option...