On 29. sep.. 2009, at 23.33, Chris Josephes wrote: >> To be serious, yes things could be done a bit differently but this >> solution requires the least architectural review and meets user needs >> without being too complicated. > > How does this change affect or add time to the architectural > review? Would it make sense for me to submit a proposal for a > future release. >
I would have to consider upgrade paths for users (they would experience weird problems if they tried to configure the service "like they used to"). Documentation needs to be updated to specify what privileges you need to set if you use various flags for memcached (privileged port if you would like to bind to a nonstandard port, privilege to lock memory pages into memory, any others??) That being said, I really don't think people care about what user memcached actually run as, and I am pretty sure no one will ever change the user id if memcached. > I'm not trying to be critical, but here's the problem that I have. > > Back in 2005, Glenn Burnette wrote a Sun Blueprints paper discussing > the practice of limiting privileges in Apache (or other services) > and the advantages of Solaris security compared to other platforms. > > http://www.sun.com/blueprints/0505/819-2680.pdf > Exactly what is the _problem_ ? What are you not able to do with the suggested approach? > So it's a little disappointing when I see one or two Coolstack > applications that don't even adhere to conventions that were set > forth years ago. I don't know much about coolstack, but I know quite a bit about memcached (being one of the developers on the product and some of its clients libraries). Memcached doesn't implement _any_ kind of security at all, and shouldn't be serving any network ports on a public network. This means that you need to be on your network in order to even try to "exploit" it. When memcached is done trying to lock memory pages and bind to the socket it will drop all privileges and run privilege free (all it does at this point is to accept new sockets, read and write data to them). And yes, you really don't want to connect your memcached servers directly to internet, because then everyone can DOS you by connecting to your memcached servers and run "flush_all" every second and flush your complete cache. Cheers, Trond
