[arch-commits] Commit in memcached/trunk (3 files)

Levente Polyak via arch-commits Thu, 20 Dec 2018 16:05:13 -0800

    Date: Friday, December 21, 2018 @ 00:03:53
  Author: anthraxx
Revision: 342617


upgpkg: memcached 1.5.12-1 (enable seccomp)

Yes, we enable seccomp - its not rocket science to fix if
proper logs and dumps are provided and provides a significant
limitation in terms of exploitation.

It is tested and it works, if you encounter issues, provide proper
logs, dumps an straces.

Added:
  memcached/trunk/memcached.service.patch
Modified:
  memcached/trunk/PKGBUILD
Deleted:
  memcached/trunk/memcached.service

-------------------------+
 PKGBUILD                |   20 +++++++-----
 memcached.service       |   16 ---------
 memcached.service.patch |   75 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 24 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2018-12-20 19:53:18 UTC (rev 342616)
+++ PKGBUILD    2018-12-21 00:03:53 UTC (rev 342617)
@@ -3,7 +3,7 @@
 # Contributor: Michael Irwin <[email protected]>
 
 pkgname=memcached
-pkgver=1.5.10
+pkgver=1.5.12
 pkgrel=1
 pkgdesc='Distributed memory object caching system'
 url='https://memcached.org/'
@@ -12,21 +12,22 @@
 depends=('libevent' 'libseccomp')
 optdepends=('perl: for memcached-tool usage')
 source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
-        memcached.service
+        memcached.service.patch
         memcached.tmpfiles
         memcached.sysusers)
-sha256sums=('494c060dbd96d546c74ab85a3cc3984d009b4423767ac33e05dd2340c01f1c4b'
-            'fd60fde92b959dc4160facc0d165f04319d2ece4d2c59b68d8ae24824abea7dd'
+sha256sums=('c02f97d5685617b209fbe25f3464317b234d765b427d254c2413410a5c095b29'
+            '303375f1245db0f3bf82faa6cb935639d8194c760fec45f105eecaaec22436a5'
             'c4d0ae2218b99a276ff6e0084ae81e66add0ca9347e4bde70e9172db6e44002a'
             '228c4f536f3c9f9eee4e11226ec8846a22d4ba46c2d3bf2811413efcc322609a')
-sha512sums=('5b6217ab90492cb4b3f6597c935a4028697f1d071516d647a70f6ba9353db16184ef229935733e669d4120d34d72f6f2415edcfd3ec899e06eab9d3f494f11f1'
-            
'5b006064b3ab31a6982f5c7b1ab4a49d64118a459913bd4be18ca63bf606dcae3550121d05a34ac8932d28b367e18fa76699c46e311b0b6a22f36ab1885ebebe'
+sha512sums=('95927fcc06e83e46a050dd50c85e50faf41e6d1f6901b757f7a842b7727a596054082a512a3b830729171556e8a995f037d39d991df2198a80a4e61a6efa1fd8'
+            
'79b69d3b48ab04ff76607d52de61cfca471edb376d2a08fc2c1b9b259c097d04499d1f326ba06fd058a039de145be475cd3527007dffb2256a0b5c2ea7548a88'
             
'960705ff74d25afed477e0b2a5872a3a4fb49ed3105a351f0d0224abc947778f9dbda81e80be94ab636da4a8411a9dd56a8fd4513e5b86a3096a14fa67f1548b'
             
'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8')
 
 prepare() {
   cd ${pkgname}-${pkgver}
-  sed -e 's/^##safer##//g' -i scripts/memcached.service 
scripts/[email protected]
+  patch -Np1 < ../memcached.service.patch
+  sed -e 's/^##safer##//g' -i scripts/*.service
 }
 
 build() {
@@ -45,8 +46,11 @@
 package() {
   cd ${pkgname}-${pkgver}
   make DESTDIR="${pkgdir}" install
+
   install -Dm 755 scripts/memcached-tool -t "${pkgdir}/usr/bin"
-  install -Dm 644 ../memcached.service -t "${pkgdir}/usr/lib/systemd/system"
+  install -Dm 644 scripts/memcached-tool.1 -t "${pkgdir}/usr/share/man/man1"
+
+  install -Dm 644 scripts/*.service -t "${pkgdir}/usr/lib/systemd/system"
   install -Dm 644 ../memcached.tmpfiles 
"${pkgdir}/usr/lib/tmpfiles.d/memcached.conf"
   install -Dm 644 ../memcached.sysusers 
"${pkgdir}/usr/lib/sysusers.d/memcached.conf"
 }

Deleted: memcached.service
===================================================================
--- memcached.service   2018-12-20 19:53:18 UTC (rev 342616)
+++ memcached.service   2018-12-21 00:03:53 UTC (rev 342617)
@@ -1,16 +0,0 @@
-[Unit]
-Description=Memcached Daemon
-After=network.target
-
-[Service]
-User=memcached
-# Remove '-l 127.0.0.1' to listen on all addresses
-ExecStart=/usr/bin/memcached -l 127.0.0.1 -o modern
-Restart=always
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=full
-MemoryDenyWriteExecute=yes
-
-[Install]
-WantedBy=multi-user.target

Added: memcached.service.patch
===================================================================
--- memcached.service.patch                             (rev 0)
+++ memcached.service.patch     2018-12-21 00:03:53 UTC (rev 342617)
@@ -0,0 +1,75 @@
+From f74056bec3910ef03b6e993084731b482ba359ba Mon Sep 17 00:00:00 2001
+From: anthraxx <[email protected]>
+Date: Wed, 19 Dec 2018 01:00:32 +0100
+Subject: [PATCH] modern configuration purely using systemd overrides
+
+---
+ scripts/memcached.service  | 12 ++++++++++--
+ scripts/[email protected] | 15 +++++++++------
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/scripts/memcached.service b/scripts/memcached.service
+index 88a4b8a..3a1e87e 100644
+--- a/scripts/memcached.service
++++ b/scripts/memcached.service
+@@ -7,6 +7,9 @@
+ #
+ #     [Service]
+ #     Environment=OPTIONS="-l 127.0.0.1,::1"
++#
++# To use the "instanced" version of this, just start 'memcached@11211' or
++# whatever port you'd like.
+ 
+ 
+ [Unit]
+@@ -14,8 +17,13 @@ Description=memcached daemon
+ After=network.target
+ 
+ [Service]
+-EnvironmentFile=/etc/sysconfig/memcached
+-ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c 
${MAXCONN} $OPTIONS
++User=memcached
++Environment=CACHESIZE=64
++Environment=MAXCONN=1024
++Environment=LISTEN="-l 127.0.0.1,::1"
++Environment=OPTIONS="-o modern -o drop_privileges"
++ExecStart=/usr/bin/memcached -m ${CACHESIZE} -c ${MAXCONN} ${LISTEN} 
${OPTIONS}
++Restart=always
+ 
+ # Set up a new file system namespace and mounts private /tmp and /var/tmp
+ # directories so this service cannot access the global directories and
+diff --git a/scripts/[email protected] b/scripts/[email protected]
+index 4e9f1d7..e666da9 100644
+--- a/scripts/[email protected]
++++ b/scripts/[email protected]
+@@ -9,18 +9,21 @@
+ #     Environment=OPTIONS="-l 127.0.0.1,::1"
+ #
+ # To use the "instanced" version of this, just start 'memcached@11211' or
+-# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it
+-# will be read first, so you can set different parameters for a given
+-# instance.
++# whatever port you'd like.
++
+ 
+ [Unit]
+ Description=memcached daemon
+ After=network.target
+ 
+ [Service]
+-EnvironmentFile=/etc/sysconfig/memcached
+-EnvironmentFile=-/etc/sysconfig/memcached.%i
+-ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} 
$OPTIONS
++User=memcached
++Environment=CACHESIZE=64
++Environment=MAXCONN=1024
++Environment=LISTEN="-l 127.0.0.1,::1"
++Environment=OPTIONS="-o modern -o drop_privileges"
++ExecStart=/usr/bin/memcached -p %i -m ${CACHESIZE} -c ${MAXCONN} ${LISTEN} 
${OPTIONS}
++Restart=always
+ 
+ # Set up a new file system namespace and mounts private /tmp and /var/tmp
+ # directories so this service cannot access the global directories and
+-- 
+2.20.1
+

[arch-commits] Commit in memcached/trunk (3 files)

Reply via email to