[arch-commits] Commit in memcached/trunk (3 files)
Levente Polyak
anthraxx at archlinux.org
Fri Dec 21 00:04:06 UTC 2018
Date: Friday, December 21, 2018 @ 00:03:53
Author: anthraxx
Revision: 342617
upgpkg: memcached 1.5.12-1 (enable seccomp)
Yes, we enable seccomp - its not rocket science to fix if
proper logs and dumps are provided and provides a significant
limitation in terms of exploitation.
It is tested and it works, if you encounter issues, provide proper
logs, dumps an straces.
Added:
memcached/trunk/memcached.service.patch
Modified:
memcached/trunk/PKGBUILD
Deleted:
memcached/trunk/memcached.service
-------------------------+
PKGBUILD | 20 +++++++-----
memcached.service | 16 ---------
memcached.service.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 87 insertions(+), 24 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-12-20 19:53:18 UTC (rev 342616)
+++ PKGBUILD 2018-12-21 00:03:53 UTC (rev 342617)
@@ -3,7 +3,7 @@
# Contributor: Michael Irwin <6d6469 at gmail.com>
pkgname=memcached
-pkgver=1.5.10
+pkgver=1.5.12
pkgrel=1
pkgdesc='Distributed memory object caching system'
url='https://memcached.org/'
@@ -12,21 +12,22 @@
depends=('libevent' 'libseccomp')
optdepends=('perl: for memcached-tool usage')
source=(https://www.memcached.org/files/${pkgname}-${pkgver}.tar.gz
- memcached.service
+ memcached.service.patch
memcached.tmpfiles
memcached.sysusers)
-sha256sums=('494c060dbd96d546c74ab85a3cc3984d009b4423767ac33e05dd2340c01f1c4b'
- 'fd60fde92b959dc4160facc0d165f04319d2ece4d2c59b68d8ae24824abea7dd'
+sha256sums=('c02f97d5685617b209fbe25f3464317b234d765b427d254c2413410a5c095b29'
+ '303375f1245db0f3bf82faa6cb935639d8194c760fec45f105eecaaec22436a5'
'c4d0ae2218b99a276ff6e0084ae81e66add0ca9347e4bde70e9172db6e44002a'
'228c4f536f3c9f9eee4e11226ec8846a22d4ba46c2d3bf2811413efcc322609a')
-sha512sums=('5b6217ab90492cb4b3f6597c935a4028697f1d071516d647a70f6ba9353db16184ef229935733e669d4120d34d72f6f2415edcfd3ec899e06eab9d3f494f11f1'
- '5b006064b3ab31a6982f5c7b1ab4a49d64118a459913bd4be18ca63bf606dcae3550121d05a34ac8932d28b367e18fa76699c46e311b0b6a22f36ab1885ebebe'
+sha512sums=('95927fcc06e83e46a050dd50c85e50faf41e6d1f6901b757f7a842b7727a596054082a512a3b830729171556e8a995f037d39d991df2198a80a4e61a6efa1fd8'
+ '79b69d3b48ab04ff76607d52de61cfca471edb376d2a08fc2c1b9b259c097d04499d1f326ba06fd058a039de145be475cd3527007dffb2256a0b5c2ea7548a88'
'960705ff74d25afed477e0b2a5872a3a4fb49ed3105a351f0d0224abc947778f9dbda81e80be94ab636da4a8411a9dd56a8fd4513e5b86a3096a14fa67f1548b'
'e6ddcab9a6fee024072b6363ef60aa176ed258369bf3a17d475f19b1f410ffd6195b9c5737dc5b1371e8974b44bdbdaa109927acaeb54fb40302a5d67d7c13a8')
prepare() {
cd ${pkgname}-${pkgver}
- sed -e 's/^##safer##//g' -i scripts/memcached.service scripts/memcached at .service
+ patch -Np1 < ../memcached.service.patch
+ sed -e 's/^##safer##//g' -i scripts/*.service
}
build() {
@@ -45,8 +46,11 @@
package() {
cd ${pkgname}-${pkgver}
make DESTDIR="${pkgdir}" install
+
install -Dm 755 scripts/memcached-tool -t "${pkgdir}/usr/bin"
- install -Dm 644 ../memcached.service -t "${pkgdir}/usr/lib/systemd/system"
+ install -Dm 644 scripts/memcached-tool.1 -t "${pkgdir}/usr/share/man/man1"
+
+ install -Dm 644 scripts/*.service -t "${pkgdir}/usr/lib/systemd/system"
install -Dm 644 ../memcached.tmpfiles "${pkgdir}/usr/lib/tmpfiles.d/memcached.conf"
install -Dm 644 ../memcached.sysusers "${pkgdir}/usr/lib/sysusers.d/memcached.conf"
}
Deleted: memcached.service
===================================================================
--- memcached.service 2018-12-20 19:53:18 UTC (rev 342616)
+++ memcached.service 2018-12-21 00:03:53 UTC (rev 342617)
@@ -1,16 +0,0 @@
-[Unit]
-Description=Memcached Daemon
-After=network.target
-
-[Service]
-User=memcached
-# Remove '-l 127.0.0.1' to listen on all addresses
-ExecStart=/usr/bin/memcached -l 127.0.0.1 -o modern
-Restart=always
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=full
-MemoryDenyWriteExecute=yes
-
-[Install]
-WantedBy=multi-user.target
Added: memcached.service.patch
===================================================================
--- memcached.service.patch (rev 0)
+++ memcached.service.patch 2018-12-21 00:03:53 UTC (rev 342617)
@@ -0,0 +1,75 @@
+From f74056bec3910ef03b6e993084731b482ba359ba Mon Sep 17 00:00:00 2001
+From: anthraxx <levente at leventepolyak.net>
+Date: Wed, 19 Dec 2018 01:00:32 +0100
+Subject: [PATCH] modern configuration purely using systemd overrides
+
+---
+ scripts/memcached.service | 12 ++++++++++--
+ scripts/memcached at .service | 15 +++++++++------
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/scripts/memcached.service b/scripts/memcached.service
+index 88a4b8a..3a1e87e 100644
+--- a/scripts/memcached.service
++++ b/scripts/memcached.service
+@@ -7,6 +7,9 @@
+ #
+ # [Service]
+ # Environment=OPTIONS="-l 127.0.0.1,::1"
++#
++# To use the "instanced" version of this, just start 'memcached at 11211' or
++# whatever port you'd like.
+
+
+ [Unit]
+@@ -14,8 +17,13 @@ Description=memcached daemon
+ After=network.target
+
+ [Service]
+-EnvironmentFile=/etc/sysconfig/memcached
+-ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
++User=memcached
++Environment=CACHESIZE=64
++Environment=MAXCONN=1024
++Environment=LISTEN="-l 127.0.0.1,::1"
++Environment=OPTIONS="-o modern -o drop_privileges"
++ExecStart=/usr/bin/memcached -m ${CACHESIZE} -c ${MAXCONN} ${LISTEN} ${OPTIONS}
++Restart=always
+
+ # Set up a new file system namespace and mounts private /tmp and /var/tmp
+ # directories so this service cannot access the global directories and
+diff --git a/scripts/memcached at .service b/scripts/memcached at .service
+index 4e9f1d7..e666da9 100644
+--- a/scripts/memcached at .service
++++ b/scripts/memcached at .service
+@@ -9,18 +9,21 @@
+ # Environment=OPTIONS="-l 127.0.0.1,::1"
+ #
+ # To use the "instanced" version of this, just start 'memcached at 11211' or
+-# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it
+-# will be read first, so you can set different parameters for a given
+-# instance.
++# whatever port you'd like.
++
+
+ [Unit]
+ Description=memcached daemon
+ After=network.target
+
+ [Service]
+-EnvironmentFile=/etc/sysconfig/memcached
+-EnvironmentFile=-/etc/sysconfig/memcached.%i
+-ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
++User=memcached
++Environment=CACHESIZE=64
++Environment=MAXCONN=1024
++Environment=LISTEN="-l 127.0.0.1,::1"
++Environment=OPTIONS="-o modern -o drop_privileges"
++ExecStart=/usr/bin/memcached -p %i -m ${CACHESIZE} -c ${MAXCONN} ${LISTEN} ${OPTIONS}
++Restart=always
+
+ # Set up a new file system namespace and mounts private /tmp and /var/tmp
+ # directories so this service cannot access the global directories and
+--
+2.20.1
+
More information about the arch-commits
mailing list