It's useful when you need to run memcached as root (-u root).
if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) {
fprintf(stderr, "failed to set rlimit for open files. Try
running a$
exit(EX_OSERR);
}
for upping rlimit.
Once it's done setting rlimit, root privileges are no longer needed.
Additionally, it chroots the process to /var/empty. If the attacker somehow
succeeds in finding an exploit, he cannot execute commands like /bin/sh,
since
he's jailed inside the /var/empty.
//Logan
C-x-C-c
On Tue, Jul 20, 2010 at 2:38 AM, dormando <dorma...@rydia.net> wrote:
>
> > Greetings,
> >
> > We are a small company who are increasingly relying on
> > memcached for our big projects. We are very pleased with
> > its performance.
> >
> > I've put this patch that
> >
> > 1) chroots to /var/empty
> > 2) change from root to a simple user.
> >
> > It effectively jails the process once it no longer needs root
> > privilege and allows an attacker very little room to play.
> >
> > The patch has been working fine on our gentoo server for
> > quite some time.
> >
> > Feedback is most welcomed, and we are more than willing to
> > improve the patch to fit your standards.
>
> I'm a little confused; there is already a method for memcached to drop
> user privileges, by specifying the -u option? What's the purpose of this
> that the other function doesn't do?
>
--
`` Real men run current !''
