Source: memcached
Version: 1.5.0-1
Severity: wishlist
Tags: patch


Please add some hardening features to the systemd .service file. :)

(Patch attached.)


     : :'  :     Chris Lamb, Debian Project Leader
     `. `'` /
diff --git a/debian/memcached.service b/debian/memcached.service
index fae53a5..f816a93 100644
--- a/debian/memcached.service
+++ b/debian/memcached.service
@@ -6,5 +6,56 @@ Documentation=man:memcached(1)
+# Set up a new file system namespace and mounts private /tmp and /var/tmp 
+# so this service cannot access the global directories and other processes 
+# access this service's directories.
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked 
by this unit.
+# Ensures that the service process and all its children can never gain new 
+# Sets up a new /dev namespace for the executed processes and only adds API 
pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY 
subsystem) to it,
+# but no physical devices such as /dev/sda.
+# Required for dropping privileges and running as a different user
+# Attempts to create memory mappings that are writable and executable at the 
same time,
+# or to change existing memory mappings to become executable are prohibited.
+# Explicit module loading will be denied. This allows to turn off module load 
and unload
+# operations on modular kernels. It is recommended to turn this on for most 
services that
+# do not need special file systems or extra kernel modules to work.
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, 
+# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only 
to all processes
+# of the unit. Usually, tunable kernel variables should only be written at 
boot-time, with the
+# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; 
it is hence
+# recommended to turn this on for most services.
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through 
/sys/fs/cgroup will be
+# made read-only to all processes of the unit. Except for container managers 
no services should
+# require write access to the control groups hierarchies; it is hence 
recommended to turn this on
+# for most services
+# Any attempts to enable realtime scheduling in a process of the unit are 
+# Restricts the set of socket address families accessible to the processes of 
this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+# Takes away the ability to create or manage any kind of namespace

Reply via email to