On Dec 5, 2007, at 6:20 PM, Douglas A. Tutty wrote:
I don't know if OpenBSD has any other tricks under the hood to protect the system from a milicious but legitimate shell user.
They might have a few, I don't know. It's worth noting that their brag line on their website only refers to *remote* security holes. They don't make any guarantees about protecting you from your own users.
Preventing a malicious shell user from gaining root is usually possible, with care, but preventing a malicious user from creating a denial-of-service situation is often impossible. You can't really set memory and process limits low enough to prevent a user from bogging the machine down without cutting legitimate applications off at the knees, so a "fork bomb" almost always results in an unusable system.
Unless you're running a public open-access system with shell access (rare), this type of problem is usually best dealt with by having a "friendly" chat with the user in question. If the user is local you may want to bring a length of "sucker rod." (See item 5 of the SECURITY THREATS section of the Linux sysklogd(8) manpage.)