It's useful when you need to run memcached as root (-u root).
if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) { fprintf(stderr, "failed to set rlimit for open files. Try running a$ exit(EX_OSERR); } for upping rlimit. Once it's done setting rlimit, root privileges are no longer needed. Additionally, it chroots the process to /var/empty. If the attacker somehow succeeds in finding an exploit, he cannot execute commands like /bin/sh, since he's jailed inside the /var/empty. //Logan C-x-C-c On Tue, Jul 20, 2010 at 2:38 AM, dormando <dorma...@rydia.net> wrote: > > > Greetings, > > > > We are a small company who are increasingly relying on > > memcached for our big projects. We are very pleased with > > its performance. > > > > I've put this patch that > > > > 1) chroots to /var/empty > > 2) change from root to a simple user. > > > > It effectively jails the process once it no longer needs root > > privilege and allows an attacker very little room to play. > > > > The patch has been working fine on our gentoo server for > > quite some time. > > > > Feedback is most welcomed, and we are more than willing to > > improve the patch to fit your standards. > > I'm a little confused; there is already a method for memcached to drop > user privileges, by specifying the -u option? What's the purpose of this > that the other function doesn't do? > -- `` Real men run current !''