As some people have pointed out, sane default limits are hard to define. Within reach of me I have machines whose "sane default" limits would vary by 2 orders of magnitude, and I can make an argument for a machine that should sanely have a default an order of magnitude smaller yet. With that much variation, I'd suggest that only the admin of the machine in question can make any accurate judgement as to what the normal limit should be, the best the distribution can do by default is come up with a number that's sane for the average system (which, these days, could easily be 2-4 times what's safe for older systems still in service, but it's that or cripple newer systems until their settings are tweaked).

If it's my machine, I'd normally want the limits set high enough that they don't keep me from doing what I tell the system to do. If I'm allowing other people access, or opening the machine to the net, it's my responsibility as an admin to make sure everything's been set safely. I should not be assuming the default settings are completely safe, because the definition of "safe" is dependent on how I'm using the machine. "Safe" for a public-login host on the Internet is radically different from "safe" on the crash-and-burn dev box on my desk where I'm the only user and I'm debugging crashes in programs that run as root anyway.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/308/30976#30976