Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587440

Summary: net-misc/memcached: systemd hardening
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Robin Johnson <robbat2>
Status: RESOLVED FIXED    
Severity: normal CC: candrews, prometheanfire
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Craig Andrews gentoo-dev 2016-06-28 19:02:13 UTC 
net-misc/memcached's systemd service, memcached.service, should use systemd's hardening features:

* PrivateTmp=true should be used. This would align Gentoo with the Red Hat / Fedora /CentOS family, which made this change in 2012: http://danwalsh.livejournal.com/51459.html
* CapabilityBoundingSet= should be set
* ProtectSystem=full (or at least true)
* NoNewPrivileges=true
* PrivateDevices=true

I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
Comment 1 Craig Andrews gentoo-dev 2016-06-28 19:04:07 UTC 
https://github.com/gentoo/gentoo/pull/1787
Comment 2 Craig Andrews gentoo-dev 2016-06-28 19:07:14 UTC 
Note that upstream also distributes a systemd unit, but it's quite different from Gentoo's. I've also requested that they harden the unit they distribute:
https://github.com/memcached/memcached/pull/176

Perhaps Gentoo should consider using upstream's instead of maintaining it's own copy?
Comment 3 Adam Feldman gentoo-dev 2016-06-29 02:09:43 UTC 
Thanks for your thorough submission/contribution!
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-11-08 00:51:00 UTC 
Upstream's systemd is now used.