Package: memcached Version: 1.4.5-1 Severity: wishlist Tags: patch User: [email protected] Usertags: origin-ubuntu maverick ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following: * Run as 'memcache' user instead of nobody (LP: #599461) * depend on adduser for preinst/postrm * create user in postinst We thought you might be interested in doing the same. This increases the security of running as a non-root user, as now the memcached daemon isn't subject to trivial local attack from other daemons running as 'nobody'. -- System Information: Debian Release: squeeze/sid APT prefers maverick-updates APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick') Architecture: amd64 (x86_64) Kernel: Linux 2.6.34-4-generic (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u memcached-1.4.5/debian/memcached.conf memcached-1.4.5/debian/memcached.conf --- memcached-1.4.5/debian/memcached.conf +++ memcached-1.4.5/debian/memcached.conf @@ -27,7 +27,7 @@ # Run the daemon as root. The start-memcached will default to running as root if no # -u command is present in this config file --u nobody +-u memcache # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure diff -u memcached-1.4.5/debian/memcached.postinst memcached-1.4.5/debian/memcached.postinst --- memcached-1.4.5/debian/memcached.postinst +++ memcached-1.4.5/debian/memcached.postinst @@ -3,9 +3,37 @@ set -e -if [ ! -e /etc/memcached.conf ] - then - mkdir -p /etc - cp /usr/share/memcached/memcached.conf.default /etc/memcached.conf -fi +GROUP="memcache" +USER="memcache" +DATADIR="/nonexistent" + +# shamelessly copied from debian gearman-job-server package... + +case "$1" in +configure) + # creating memcache group if it isn't already there + if ! getent group $GROUP >/dev/null ; then + # Adding system group + addgroup --system $GROUP >/dev/null + fi + + # creating memcache user if it isn't already there + if ! getent passwd $USER >/dev/null ; then + # Adding system user + adduser \ + --system \ + --disabled-login \ + --ingroup $GROUP \ + --home $DATADIR \ + --gecos "Memcached" \ + --shell /bin/false \ + $USER >/dev/null + fi + if [ ! -e /etc/memcached.conf ] + then + mkdir -p /etc + cp /usr/share/memcached/memcached.conf.default /etc/memcached.conf + fi + ;; +esac #DEBHELPER# diff -u memcached-1.4.5/debian/changelog memcached-1.4.5/debian/changelog diff -u memcached-1.4.5/debian/memcached.postrm memcached-1.4.5/debian/memcached.postrm --- memcached-1.4.5/debian/memcached.postrm +++ memcached-1.4.5/debian/memcached.postrm @@ -2,10 +2,16 @@ set -e +USER=memcache +GROUP=memcache + if [ "$1" = "purge" ] then rm -f /etc/memcached.conf rm -f /var/log/memcached.log + + deluser --system $USER || true + delgroup --system --only-if-empty $GROUP || true fi rm -f /var/run/memcached.pid diff -u memcached-1.4.5/debian/control memcached-1.4.5/debian/control --- memcached-1.4.5/debian/control +++ memcached-1.4.5/debian/control @@ -1,7 +1,8 @@ Source: memcached Section: web Priority: optional -Maintainer: David Martínez Moreno <[email protected]> +Maintainer: Ubuntu MOTU Developers <[email protected]> +XSBC-Original-Maintainer: David Martínez Moreno <[email protected]> Build-Depends: debhelper (>= 6), libevent-dev, quilt (>= 0.46-7) Homepage: http://www.danga.com/memcached/ Standards-Version: 3.8.4 @@ -9,6 +10,7 @@ Package: memcached Architecture: any Depends: ${shlibs:Depends}, perl, ${misc:Depends}, lsb-base (>= 3.2-13) + , adduser Suggests: libcache-memcached-perl, libmemcached Description: A high-performance memory object caching system Danga Interactive developed memcached to enhance the speed of LiveJournal.com,
