I have to agree with most of the comments here, setting an artificial limit to the number of processes cannot be done in a "one size fits all" manner. And while testing things, I don't want the kernel telling me: "You are not allowed to spawn/fork another process, mate. Change the settings."
IMHO, most Distros set the limits, if set at all, to a really high value to avoid annoying users with error messages. The beauty of *NIX is the fact that everything can/should be configured to taste/necessity.
A possible approach to the issue would be some kind of script for the inexperienced to automatically apply settings for "server use", "shared use", etc. OTOH, what happens if the "secured" machine is beefed up with more RAM, CPU, etc.? Someone has to tell the inexperienced admin to either reapply the script (assuming it has the means to figure out new values) or change the limits manually. This implies that the level of experience magically grew in some mysterious way.
This leads back to my point, one has to know at least something about the system he/she is responsible for. Which can lead only to one conclusion: either they learn by mistake or they know beforehand.
Granted the kernel could take care of the issue, the question is, do we really want that?

my 2 cents
Erik

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/308/30977#30977