ssh remote command execution and ulimit

StackOverflow https://stackoverflow.com/questions/1887365

  •  19-09-2019
  •  | 
  •  

Question

I have the following script:

cat > /tmp/script.sh <<EndOfScript
#!/bin/sh
ulimit -n 8192
run_app
EndOfScript

which runs smoothly locally, it is always ok. But if I try to run it remotely through ssh:

scp /tmp/script.sh user@host:/tmp/script.sh
ssh user@host "chmod 755 /tmp/script.sh; /tmp/script.sh"

I got the error: 

ulimit: open files: cannot modify limit: Operation not permitted

I also tried the following command:

ssh user@host "ulimit -n 8192"

same error.

It looks like that ssh remote command execution is enforcing a 1024 hard limit on nofile limit, but I can not find out how to modify this default value. I tried to modify /etc/security/limits.conf and restart sshd, still the same error.

Was it helpful?

Solution 2

Fiannly figured out the answer: add the following to /etc/initscript

ulimit -c unlimited
ulimit -HSn 65535
# Execute the program.
eval exec "$4"

OTHER TIPS

Instead of using the workaround of /etc/initscript (and do not make a typo in that file.. :), if you just want sshd to honor the settings you made in /etc/security/limits.conf, you should make sure you have UsePAM yes in /etc/ssh/sshd_config, and /etc/pam.d/sshd lists session required pam_limits.so (or otherwise includes another file that does so).

That should be all there is to it.

In older versions od openssh (<3.6 something) there was also a problem with UsePrivilegeSeparation that prevented limits being honored, but it was fixed in newer versions.

ulimit requires superuser privileges to run.

I would suggest you to ask the server administrator to modify that value for you on the server you are trying to run the script on.

He/She can do that by modifying /etc/secutiry/limits.conf on Linux. Here is an example that might help:

*               soft    nofile          8192
*               hard    nofile          8192

After that, you don't need to restart sshd. Just logout and login again.

I would suggest you to ask the same question in ServerFault though. You'll get better server-side related answers there.

Check the start up scripts (/etc/profile, ~/.??*) for a call to ulimit. IIRC, once a limit has been imposed, it can't be widened anymore.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top