Summary: | net-misc/memcached should not listen on UDP port by default | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | ajak, hydrapolic, jdavid.ibp, prometheanfire, robbat2, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/memcached/memcached/wiki/ReleaseNotes156 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2018-03-01 22:06:19 UTC
(In reply to Hanno Boeck from comment #0) > The default configuration in Gentoo enables the UDP port. Only when no sockets are used. (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n55) We also warn when listening on 0.0.0.0 (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n28). I would suggest to set "LISTENON" to "127.0.0.1" per default and maybe uncomment "SOCKET" per default so that we ensure that no Gentoo system can be abused out of the box if the administrator forget to set up a firewall but no need to daemonize UDP usage in general. Thomas, all your change proposals sound good, but I'd go one step further: Even if a user changes to not using sockets disable UDP by default. E.g. we could comment out UDPPORT by default in conf.d/memcached and only pass -U {UDPPORT} if it's set. From the upstream announcement it sounds to me the UDP-based memcached is basically considered a deprecated protocol that has little use today. > E.g. we could comment out UDPPORT by default in conf.d/memcached and only
> pass -U {UDPPORT} if it's set.
ACK.
Please do this… I got bitten by it while switching a machine to systemd. LISTENON="127.0.0.1" was set in /etc/conf.d/memcached but most settings in that file are not honored by memcached's systemd unit. Maintainer(s): Ping. Ping |