Hi all, I created a PR adding drop_privileges equivalent for Linux. It uses seccomp and is restricted to actions I could find in a normal configuration. It disallows outgoing connections, disk access, uncommon syscalls, etc.
Have a look at https://github.com/memcached/memcached/pull/94 and give it a go. I definitely haven't checked all possible configurations. If anyone could check that I haven't broken compilation on non-Intel machines, that would be great. To enable it, compile with --enable-seccomp. Minimum requirement is Linux kernel 3.5 with bpf filters and seccomp enabled. The only big issue I know of at the moment is that test cannot be run with seccomp enabled. This is a bit tricky to fix, because tests want to write to disk and the whole idea behind seccomp is to disallow it. Comments / ideas welcome :) Stan -- --- You received this message because you are subscribed to the Google Groups "memcached" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
