dormando wrote:
Ehh fine. I guess I'll cut a 1.2.9.
It'll contain this single patch and there won't be a lot of fanfare to it.
I'll get this out ASAP.
This bug is definitely not serious, and anyone claiming it as a root hole
should be strangled. Please don't run this thing as root in a place where
people can put whatever random trash they want into the system.
If you look at the source the only way to run memcached as root is by
using -u root. What if we removed that option as well?? I guess the only
thing you would need extra privileges for would be binding to a port <
1024, but do we really need to support that?
We could also look for the users noaccess or nobody and automatically
switch to one of those users if they exists if the user didn't provide
another username (and none of them is found, print out an error message
and terminate). This would make it impossible to run as root, and all
this fuzz about root exploits would just go to /dev/null where they
belong...
Just my 0.5NOK
Trond
