Chris Josephes wrote: >> *I think this is a question of fully utilizing SMF security features, >> along with potentially maintaining patches to some of the open source >> code to bypass their own cross-platform security implementation, and >> needing to help users understand why our delivery of a familiar server >> is supposed to operate differently than they are accustomed. > > I think there's something that requires clarification here. > > Nothing that I originally proposed requires changing the source code, > maintaining a fork, or contributing patches to the Danga memcache code. It > was only a proposed change to the manifest file and method script. And from > what I can tell, those 2 files aren't even shipped and distrbuted by Danga. > > For example, I could download the current memcache distribution, replace > those two files myself and it would still work perfectly. > >> This same question* could apply to just about any of the Web Stack >> features. It should be obvious why SMF is used (friendlier than generic >> SysV init, supports some level of customization of the service without >> the user having to edit files, etc.) > > Okay, it's obvious why SMF is used. What isn't obvious is why an established > convention that other third party applications work fine with is considered > taboo for Memcache.
I guess that is a question for the person who originally wrote the SMF for memcached. I would _guess_ that they did it to be end-user-friendly. It is much easier to say: * "set the options you want to enable on memcached in this SMF property and restart the service" Than: * If you want to listen to a privileged port (link to a definition of a privileged port) you have to give the service the following set of privileges * If you want memcached to lock it's pages into memory you have to give the service the following privilege * If you for some reason want to run memcached as this special user, don't follow the method google told you, on Solaris you need to do this by changing the creds.. The method we use here is the same method you'll find on pretty much all of the linux variants out there, so it really can't be that bad. And as I also said in another message: memcached is by design insecure and you should therefore _only_ run it in your private and secure network. If this is a really big problem for you I suggest that you create a bug report on the issue and use your support contract to escalate it. Cheers, Trond
