|
Description
|
If possible, memcached should be configured to run under a profile or be privilege aware to start up with a reduced set of privileges. This reduces the possibility of certain security vulnerabilities from affecting a Solaris system running memcached.
Running like rpcbind for instance would be the idea, though the specific privileges would need to be determined:
# pgrep -lf memcached
11405 /usr/lib/memcached -u nobody
# ppriv 11405
11405: /usr/lib/memcached -u nobody
flags = <none>
E: basic
I: basic
P: basic
L: all
# ppriv `pgrep rpcbind`
318: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: basic,!file_link_any,net_bindmlp,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
P: basic,!file_link_any,net_bindmlp,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
|
