I have been thinking recently of using a number of Raspberry Pis as a platform for doing a number of biodiversity science projects. This would (possibly) require allowing people external to the project running code on the devices, so I have been looking into what needs to be done to 'battle harden' the standard Raspbian distribution for use in this, or similar projects.
Let's just say that the Pis may well end up in a number of inaccessible locations, and it might end up being very difficult to hard reset them. In my mind the first thing I think of when letting people access such a system is the 'Fork bomb' - creating an ever increasing number of processes (accidentally or otherwise) until the system runs out of resources.
Perhaps the best known *NIX fork bomb is the following:
:(){ :|: & };:
This innocuous looking code defines a function with no parameters : that calls itself and pipes the output from calling itself into a new background process { :|: &};. The final : runs the function for the first time.
The solution to this is to specify a maximum number of processes in the file /etc/security/limits.conf - adding the following line sets a limit for all users apart from root:
* hard nproc 1024
On my 512MB Raspberry Pi this easily prevents the fork bomb from causing havoc - although for most circumstances I will need a lower limit (e.g. 512) is likely to be sufficiently adequate.
