You don't need to run memcached as root to do that, you need to *start* it as root.
If you look just under the setrlimit(RLIMIT_NOFILE code you see that the privilege dropping happens. So you fire up memcached *from* root, specifying -u memcached pand it will do its root-y things and then drop privileges to that user already. On Tue, 20 Jul 2010, Loganaden Velvindron wrote: > It's useful when you need to run memcached as root (-u root). > > > if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) { > fprintf(stderr, "failed to set rlimit for open files. Try running > a$ > exit(EX_OSERR); > } > > for upping rlimit. > > Once it's done setting rlimit, root privileges are no longer needed. > > Additionally, it chroots the process to /var/empty. If the attacker somehow > succeeds in finding an exploit, he cannot execute commands like /bin/sh, since > he's jailed inside the /var/empty. > > > //Logan > C-x-C-c > On Tue, Jul 20, 2010 at 2:38 AM, dormando <dorma...@rydia.net> wrote: > > > Greetings, > > > > We are a small company who are increasingly relying on > > memcached for our big projects. We are very pleased with > > its performance. > > > > I've put this patch that > > > > 1) chroots to /var/empty > > 2) change from root to a simple user. > > > > It effectively jails the process once it no longer needs root > > privilege and allows an attacker very little room to play. > > > > The patch has been working fine on our gentoo server for > > quite some time. > > > > Feedback is most welcomed, and we are more than willing to > > improve the patch to fit your standards. > > I'm a little confused; there is already a method for memcached to drop > user privileges, by specifying the -u option? What's the purpose of this > that the other function doesn't do? > > > > > -- > `` Real men run current !'' > > > > > > >