On Sun, Mar 06, 2016 at 07:18:57AM +0100, Sebastien Marie wrote: [...] > But as I don't know privileges(5) under solaris, I couldn't comment on > differences between the promises you made with pledge(2) and the ones > with setppriv. > I do not know either but I will take a look > > For commenting on promises (I just read a bit of memcached code), I > think the promises are incompatible with pid_file usage (file unlinked > at stop time, see memcached.c:5732), and as the rc.d script seems to use > it, in default configuration, memcached will be killed when stopping. It > will need "cpath" for calling unlink(2). > > I don't have checked the code more deeply. > 2nd try, will put in semi-production soon. Cheers Giovanni
Index: Makefile =================================================================== RCS file: /var/cvs/ports/misc/memcached/Makefile,v retrieving revision 1.30 diff -u -p -r1.30 Makefile --- Makefile 5 Mar 2016 21:30:16 -0000 1.30 +++ Makefile 6 Mar 2016 21:33:24 -0000 @@ -3,6 +3,7 @@ COMMENT= distributed memory object caching system DISTNAME= memcached-1.4.25 +REVISION= 0 CATEGORIES= misc HOMEPAGE= http://www.memcached.org/ @@ -12,6 +13,7 @@ MAINTAINER= Giovanni Bechis <giovanni@op # BSD PERMIT_PACKAGE_CDROM= Yes +# uses pledge() WANTLIB += c event pthread FLAVOR?= Index: patches/patch-configure =================================================================== RCS file: /var/cvs/ports/misc/memcached/patches/patch-configure,v retrieving revision 1.7 diff -u -p -r1.7 patch-configure --- patches/patch-configure 5 May 2015 15:43:03 -0000 1.7 +++ patches/patch-configure 5 Mar 2016 21:46:15 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-configure,v 1.7 2015/05/05 15:43:03 giovanni Exp $ ---- configure.orig Sat Apr 25 22:53:45 2015 -+++ configure Mon May 4 13:05:07 2015 -@@ -6435,7 +6435,7 @@ $as_echo "#define _GNU_SOURCE 1" >>confdefs.h +--- configure.orig Fri Nov 20 08:02:49 2015 ++++ configure Sat Mar 5 22:20:56 2016 +@@ -6390,7 +6390,7 @@ $as_echo "#define _GNU_SOURCE 1" >>confdefs.h elif test "$GCC" = "yes" then GCC_VERSION=`$CC -dumpversion` Index: patches/patch-items_c =================================================================== RCS file: /var/cvs/ports/misc/memcached/patches/patch-items_c,v retrieving revision 1.10 diff -u -p -r1.10 patch-items_c --- patches/patch-items_c 5 May 2015 15:43:03 -0000 1.10 +++ patches/patch-items_c 5 Mar 2016 21:46:25 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-items_c,v 1.10 2015/05/0 printf format string fix for long long time_t ---- items.c.orig Sat Apr 25 22:47:33 2015 -+++ items.c Mon May 4 12:52:52 2015 -@@ -459,9 +459,9 @@ char *item_cachedump(const unsigned int slabs_clsid, c +--- items.c.orig Fri Nov 20 02:18:56 2015 ++++ items.c Sat Mar 5 22:20:56 2016 +@@ -460,9 +460,9 @@ char *item_cachedump(const unsigned int slabs_clsid, c /* Copy the key since it may not be null-terminated in the struct */ strncpy(key_temp, ITEM_key(it), it->nkey); key_temp[it->nkey] = 0x00; /* terminate */ Index: patches/patch-memcached_c =================================================================== RCS file: patches/patch-memcached_c diff -N patches/patch-memcached_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-memcached_c 6 Mar 2016 21:32:59 -0000 @@ -0,0 +1,44 @@ +$OpenBSD$ +--- memcached.c.orig Thu Nov 19 08:19:56 2015 ++++ memcached.c Sun Mar 6 22:32:48 2016 +@@ -23,6 +23,7 @@ + #include <sys/uio.h> + #include <ctype.h> + #include <stdarg.h> ++#include <unistd.h> + + /* some POSIX systems need the following definition + * to get mlockall flags out of sys/mman.h. */ +@@ -5766,6 +5767,32 @@ int main (int argc, char **argv) { + + if (pid_file != NULL) { + save_pid(pid_file); ++ } ++ ++ if (settings.socketpath != NULL) { ++ if (pid_file != NULL) { ++ if (pledge("stdio cpath unix", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++ } else { ++ if (pledge("stdio unix", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++ } ++ } else { ++ if (pid_file != NULL) { ++ if (pledge("stdio cpath inet", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++ } else { ++ if (pledge("stdio inet", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++ } + } + + /* Drop privileges no longer needed */
