net-misc/memcached's systemd service, memcached.service, should use systemd's hardening features: * PrivateTmp=true should be used. This would align Gentoo with the Red Hat / Fedora /CentOS family, which made this change in 2012: http://danwalsh.livejournal.com/51459.html * CapabilityBoundingSet= should be set * ProtectSystem=full (or at least true) * NoNewPrivileges=true * PrivateDevices=true I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
https://github.com/gentoo/gentoo/pull/1787
Note that upstream also distributes a systemd unit, but it's quite different from Gentoo's. I've also requested that they harden the unit they distribute: https://github.com/memcached/memcached/pull/176 Perhaps Gentoo should consider using upstream's instead of maintaining it's own copy?
Thanks for your thorough submission/contribution!
Upstream's systemd is now used.
