Arch Linux

Could you explain what you would like to see implemented ?

I believe he suggests bounding the number of processes per user. That sounds to me like a pretty bad idea. If you really need it, feel free to customize your limits.conf, but we shouldn't enforce that as a default for everyone.

I would agree with vesath. Guessing/Enforcing a default value is in my opinion not the preferred way, also because the number of max. processes would differ from system to system (hardware, ram, configuration, users, environment, ...)

I would like arch to be by default resilient against forkbombs from non-privileged users.
Many solutions exist (grsecurity, bastille, fork bomb defuser module) but except from a default preconfigured /etc/security/limits.conf they all involve installing additional packages.

For your information :
bastille recommends a maxprocess limit of 150 for the group "users", Debian uses a fixed 256, freebsd dynamically determine it according to the RAM (common values seem to be 1789 and 5547).

Those limits don't affect root, boot process will not be impacted.

I would like to see a sane default and also a comment about that in the Install guide, especially for multi seat users and server users). Of course if there are any other solution which does not set a fixed value but a value derived from the system capability, I'd be happy to discuss it.

I believe something like:

* - nproc 500

in /etc/security/limits.conf would be sufficient. I use it without problems for years.

150 seems a like it could cause troubles, while 500 won't. Thus it efficiently denies fork bombs.

Also, may I suggest adding:
session required pam_limits.so

in /etc/pam.d/{su,sudo}, so that limits apply even to users not using login at all.

Breaking user space by overriding kernel defaults sounds like a shitty idea. imho: If you want this feature, do it yourself like everyone else.

Mamy, Robert: I understand you use these settings happily; but why force them on everyone?
People use Arch in different ways, which results in different setups: the limit that works for you might not work for others.
Besides, we ship the limits.conf provided by PAM upstream; I would suggest that you take your request there.

I would like to see a wiki article rather than forcing users to use these settings. In the end you would learn more from a wiki article, plus most people dont need these settings.

Gaetan:
simply because a user who knows will easily change the settings (that user must change it *anyway*).
user who doesn't know won't change that setting. If default is unrestricted, he will be victim of DOS attacks, while if default is restricted, he wont.

We don't do any harm with this, IMO.

Robert: Users who don't know about this setting should really not be administrating systems with untrusted users.

Gaetan: Sure they shouldn't but they can, and they probably will. It still doesn't harm anyone.