.gear/rules | 3 + .../tags/e575dfae5e3718fc8a132fd08d8d83e61d1565c2 | 6 + .gear/tags/list | 1 + .gear/upstream/remotes | 3 + memcached.c | 34 ++- memcached.conf | 47 ++++ memcached.init | 99 +++++++ memcached.service | 39 +++ memcached.spec | 300 +++++++++++++++++++++ memcached.sysconfig | 15 ++ memcached@.service | 44 +++ 11 files changed, 572 insertions(+), 19 deletions(-) diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 0000000..b1ec84a --- /dev/null +++ b/.gear/rules @@ -0,0 +1,3 @@ +tar: @version@:. +diff: @version@:. . name=@name@-@version@.patch + diff --git a/.gear/tags/e575dfae5e3718fc8a132fd08d8d83e61d1565c2 b/.gear/tags/e575dfae5e3718fc8a132fd08d8d83e61d1565c2 new file mode 100644 index 0000000..c58efd2 --- /dev/null +++ b/.gear/tags/e575dfae5e3718fc8a132fd08d8d83e61d1565c2 @@ -0,0 +1,6 @@ +object efee763c93249358ea5b3b42c7fd4e57e2599c30 +type commit +tag 1.6.21 +tagger dormando 1686881534 -0700 + +https://github.com/memcached/memcached/wiki/ReleaseNotes1621 diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 0000000..467a57d --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +e575dfae5e3718fc8a132fd08d8d83e61d1565c2 1.6.21 diff --git a/.gear/upstream/remotes b/.gear/upstream/remotes new file mode 100644 index 0000000..2c4ec05 --- /dev/null +++ b/.gear/upstream/remotes @@ -0,0 +1,3 @@ +[remote "upstream"] + url = https://github.com/memcached/memcached.git + fetch = +refs/heads/*:refs/remotes/upstream/* diff --git a/memcached.c b/memcached.c index 306a952..910cfdd 100644 --- a/memcached.c +++ b/memcached.c @@ -33,6 +33,7 @@ #define _P1003_1B_VISIBLE #endif #include +#include #include #include #include @@ -4740,6 +4741,8 @@ int main (int argc, char **argv) { char *pid_file = NULL; struct passwd *pw; struct rlimit rlim; + uid_t uid = 0; + gid_t gid = 0; char *buf; char unit = '\0'; int size_max = 0; @@ -5884,24 +5887,10 @@ int main (int argc, char **argv) { fprintf(stderr, "can't find the user %s to switch to\n", username); exit(EX_NOUSER); } - if (setgroups(0, NULL) < 0) { - /* setgroups may fail with EPERM, indicating we are already in a - * minimally-privileged state. In that case we continue. For all - * other failure codes we exit. - * - * Note that errno is stored here because fprintf may change it. - */ - bool should_exit = errno != EPERM; - fprintf(stderr, "failed to drop supplementary groups: %s\n", - strerror(errno)); - if (should_exit) { - exit(EX_OSERR); - } - } - if (setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) { - fprintf(stderr, "failed to assume identity of user %s\n", username); - exit(EX_OSERR); - } + uid = pw->pw_uid; + gid = pw->pw_gid; + pw = NULL; + endpwent(); } /* Initialize Sasl if -S was specified */ @@ -5919,6 +5908,7 @@ int main (int argc, char **argv) { fprintf(stderr, "failed to daemon() in order to daemonize\n"); exit(EXIT_FAILURE); } + save_pid(pid_file); } /* lock paged memory if needed */ @@ -5934,6 +5924,12 @@ int main (int argc, char **argv) { #endif } + if ((uid || gid) && + (setgroups(0, 0) < 0 || setgid(gid) < 0 || setuid(uid) < 0)) { + fprintf(stderr, "failed to assume identity of user %s\n", username); + exit(EX_OSERR); + } + /* initialize main thread libevent instance */ #if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= 0x02000101 /* If libevent version is larger/equal to 2.0.2-alpha, use newer version */ @@ -6256,7 +6252,7 @@ int main (int argc, char **argv) { } /* remove the PID file if we're a daemon */ - if (do_daemonize) + if (do_daemonize && !(uid || gid)) remove_pidfile(pid_file); /* Clean up strdup() call for bind() address */ if (settings.inter) diff --git a/memcached.conf b/memcached.conf new file mode 100644 index 0000000..e0ee9d2 --- /dev/null +++ b/memcached.conf @@ -0,0 +1,47 @@ +# memcached default config file +# 2003 - Jay Bonci +# This configuration file is read by the start-memcached script provided as +# part of the Debian GNU/Linux distribution. + +# Run memcached as a daemon. This command is implied, and is not needed for the +# daemon to run. See the README.Debian that comes with this package for more +# information. +-d + +# Log memcached's output to /var/log/memcached +logfile /var/log/memcached + +# Be verbose +# -v + +# Be even more verbose (print client commands as well) +# -vv + +# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default +# Note that the daemon will grow to this size, but does not start out holding this much +# memory +-m 64 + +# Default connection port is 11211 +-p 11211 + +# Run the daemon as root. The start-memcached will default to running as root if no +# -u command is present in this config file +-u memcached + +# Specify which IP address to listen on. The default is to listen on all IP addresses +# This parameter is one of the only security measures that memcached has, so make sure +# it's listening on a firewalled interface. +# -l 12.34.56.78 + +# Limit the number of simultaneous incoming connections. The daemon default is 1024 +# -c 1024 + +# Lock down all paged memory. Consult with the README and homepage before you do this +# -k + +# Return error when memory is exhausted (rather than removing items) +-M + +# Maximize core file limit +# -r diff --git a/memcached.init b/memcached.init new file mode 100644 index 0000000..47c33ec --- /dev/null +++ b/memcached.init @@ -0,0 +1,99 @@ +#! /bin/sh +# +# chkconfig: - 80 20 +# description: memcached - memory caching daemon +# processname: /usr/bin/memcached +# pidfile: /var/run/memcached/memcached.pid +# +### BEGIN INIT INFO +# Provides: memcached +# Required-Start: $syslog +# Required-Stop: $syslog +# Should-Start: $local_fs +# Should-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: memcached - Memory caching daemon +# Description: memcached - Memory caching daemon +### END INIT INFO + +# Do not load RH compatibility interface. +WITHOUT_RC_COMPAT=1 + +# Source function library. +. /etc/init.d/functions + +NAME=memcached +RUNAS=memcached +LISTEN="127.0.0.1" +PORT="11211" +MAXCONN="1024" +CACHESIZE="64" +EXTRAOPTIONS= +PIDFILE="/var/run/$NAME/$NAME.pid" +LOCKFILE="/var/lock/subsys/$NAME" + +# Source config. +SourceIfNotEmpty "/etc/sysconfig/$NAME" + +[ -n "$RUNAS" ] || RUNAS=memcached +[ -z "$LISTEN" ] || LISTEN="-l $LISTEN" + +[ ! -d "/var/run/$NAME" ] && mkdir "/var/run/$NAME" + +RETVAL=0 + +start() +{ + start_daemon --expect-user "$RUNAS" --lockfile "$LOCKFILE" --pidfile "$PIDFILE" -- \ + "$NAME" -d -u "$RUNAS" -P "$PIDFILE" $LISTEN -p $PORT -m $CACHESIZE -c $MAXCONN $EXTRAOPTIONS + RETVAL=$? + return "$RETVAL" +} + +stop() +{ + stop_daemon --expect-user "$RUNAS" --lockfile "$LOCKFILE" --pidfile "$PIDFILE" -- "$NAME" + RETVAL=$? + return "$RETVAL" +} + +restart() +{ + stop + start + RETVAL=$? + return "$RETVAL" +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + + restart|reload) + restart + ;; + condrestart|condreload) + if [ -e "$LOCKFILE" ]; then + restart + fi + ;; + condstop) + if [ -e "$LOCKFILE" ]; then + stop + fi + ;; + status) + status --expect-user "$RUNAS" --lockfile "$LOCKFILE" --pidfile "$PIDFILE" -- "$NAME" + RETVAL=$? + ;; + *) + msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}" + RETVAL=1 +esac + +exit $RETVAL diff --git a/memcached.service b/memcached.service new file mode 100644 index 0000000..695f450 --- /dev/null +++ b/memcached.service @@ -0,0 +1,39 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during upgrades. If you want to customize, the best +# way is to use the "systemctl edit" command to create an override unit. +# +# For example, to pass additional options, create an override unit +# (as is done by systemctl edit) and enter the following: +# +# [Service] +# Environment=LISTEN="127.0.0.1,::1" +# Environment=EXTRAOPTIONS="--threads=8" +# + +[Unit] +Description=memcached daemon +Before=httpd2.service +After=network.target + +[Service] +EnvironmentFile=/etc/sysconfig/memcached +ExecStart=/usr/bin/memcached -u $RUNAS -l $LISTEN -p $PORT -m $CACHESIZE -c $MAXCONN $EXTRAOPTIONS + +PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictRealtime=true +RestrictNamespaces=true + + +[Install] +WantedBy=multi-user.target diff --git a/memcached.spec b/memcached.spec new file mode 100644 index 0000000..5eb3dcb --- /dev/null +++ b/memcached.spec @@ -0,0 +1,300 @@ +%define _unpackaged_files_terminate_build 1 +%def_enable seccomp +%def_enable extstore +%def_enable sasl +%def_enable tls + +Name: memcached +Version: 1.6.21 +Release: alt1 + +Summary: memcached - memory caching daemon +License: BSD +Group: System/Servers +Url: http://www.memcached.org/ +#https://github.com/memcached/memcached.git +Source: %name-%version.tar +Patch: %name-%version.patch + +%define pkg_user memcached +%define pkg_group memcached + +BuildRequires: libevent-devel perl-devel perl-AnyEvent perl-YAML perl-Term-ReadKey perl-IO-Socket-SSL +%{?_enable_seccomp:BuildRequires: libseccomp-devel} +%{?_enable_sasl:BuildRequires: libsasl2-devel} +%{?_enable_tls:BuildRequires: libssl-devel >= 1.1.0} + +%description +memcached is a flexible memory object caching daemon designed to alle- +viate database load in dynamic web applications by storing objects in +specifically optimized to avoid swapping and always use non-blocking +I/O. + +%package devel +Summary: Files needed for development using memcached protocol +Group: Development/C +BuildArch: noarch +Requires: %name = %version-%release + +%description devel +This package contains files needed for development using memcached +protocol. + +%package tool +Summary: Stats and management tool for memcached +Group: Development/Tools +BuildArch: noarch + +%description tool +memcached-tool is a Perl script used to print statistics from a running +memcached instance. + +%prep +%setup +%patch -p1 +sed -i 's,`git describe`,"%version-%release",g' version.pl + +%build +perl version.pl +%autoreconf +%configure \ +%ifnarch %e2k + --enable-werror \ +%endif + %{subst_enable seccomp} \ + %{subst_enable extstore} \ + %{subst_enable sasl} \ + %{subst_enable tls} + +%make_build + +%install +%makeinstall_std +install -pD -m755 %name.init %buildroot%_initdir/%name +install -pD -m640 %name.sysconfig %buildroot%_sysconfdir/sysconfig/%name +install -pD -m644 %name.service %buildroot%_unitdir/%name.service +install -pD -m644 %{name}@.service %buildroot%_unitdir/%{name}@.service + +# tool +install -pD -m755 scripts/memcached-tool %buildroot%_bindir/memcached-tool +install -pD -m644 scripts/memcached-tool.1 %buildroot%_man1dir/memcached-tool.1 + +%check +%make test ||: + +%pre +groupadd -r -f %pkg_group +useradd -r -g %pkg_group -d /dev/null -s /dev/null -n %pkg_user >/dev/null 2>&1 ||: +if [ $1 -eq 2 ] && [ ! -f /var/run/%name/%name.pid ] && [ -f /var/run/%name.pid ]; then + mkdir /var/run/%name/ + mv /var/run/%name.pid /var/run/%name/%name.pid +fi + +%post +%post_service %name + +%preun +%preun_service %name + +%files +%config(noreplace) %attr(640,root,adm) %_sysconfdir/sysconfig/%name +%_bindir/%name +%_man1dir/%name.* +%_initdir/* +%_unitdir/* +%doc AUTHORS doc/CONTRIBUTORS ChangeLog NEWS README.md doc/*.txt + +%files devel +%_includedir/* + +%files tool +%_bindir/%name-tool +%_man1dir/%name-tool.* + +%changelog +* Thu Sep 07 2023 Alexey Shabalin 1.6.21-alt1 +- New version 1.6.21. + +* Fri Mar 24 2023 Alexey Shabalin 1.6.19-alt1 +- New version 1.6.19. + +* Wed Jan 11 2023 Alexey Shabalin 1.6.18-alt1 +- new version 1.6.18 + +* Wed Jun 15 2022 Alexey Shabalin 1.6.15-alt1 +- new version 1.6.15 + +* Wed Dec 22 2021 Alexey Shabalin 1.6.12-alt1 +- new version 1.6.12 + +* Fri Oct 22 2021 Ilya Kurdyukov 1.6.10-alt2 +- removed -Werror for Elbrus build + +* Sat Sep 04 2021 Alexey Shabalin 1.6.10-alt1 +- new version 1.6.10 + +* Tue Nov 24 2020 Alexey Shabalin 1.6.9-alt1 +- new version 1.6.9 + +* Sat May 16 2020 Alexey Shabalin 1.6.6-alt1 +- new version 1.6.6 + +* Sat Apr 18 2020 Alexey Shabalin 1.6.5-alt1 +- new version 1.6.5 + +* Wed Apr 08 2020 Alexey Shabalin 1.6.3-alt1 +- new version 1.6.3 + +* Wed Mar 25 2020 Alexey Shabalin 1.6.2-alt1 +- new version 1.6.2 (ALT #38273) + +* Wed Mar 18 2020 Alexey Shabalin 1.6.1-alt1 +- new version 1.6.1. +- enable extstore + +* Sun Feb 09 2020 Alexey Shabalin 1.5.22-alt1 +- new version 1.5.22 + +* Sat Jan 25 2020 Alexey Shabalin 1.5.21-alt1 +- new version 1.5.21 + +* Fri Oct 11 2019 Alexey Shabalin 1.5.19-alt1 +- new version 1.5.19 + +* Tue Sep 10 2019 Alexey Shabalin 1.5.17-alt1 +- new version 1.5.17 + +* Wed Jul 17 2019 Alexey Shabalin 1.5.16-alt1 +- 1.5.16 + +* Thu May 23 2019 Gleb F-Malinovskiy 1.5.14-alt2 +- Fixed build on ppc64le. + +* Wed May 15 2019 Alexey Shabalin 1.5.14-alt1 +- 1.5.14 + +* Thu Apr 18 2019 Alexey Shabalin 1.5.13-alt1 +- 1.5.13 +- build with tls support + +* Thu Nov 29 2018 Alexey Shabalin 1.5.12-alt1 +- 1.5.12 + +* Fri Aug 24 2018 Alexey Shabalin 1.5.10-alt1 +- 1.5.10 + +* Fri Jul 27 2018 Alexey Shabalin 1.5.9-alt1 +- 1.5.9 + +* Sun Apr 01 2018 Alexey Shabalin 1.5.7-alt1 +- 1.5.7 + +* Sun Mar 04 2018 Alexey Shabalin 1.5.6-alt1 +- 1.5.6 +- disable UDP port by default (fixed CVE-2018-1000115) +- drop scripts package +- add tool package +- add memcached@.service for allow start "instanced" version, like 'memcached@11211' + +* Tue Jan 09 2018 Alexey Shabalin 1.5.4-alt1 +- 1.5.4 + +* Tue Nov 07 2017 Alexey Shabalin 1.5.3-alt1 +- 1.5.3 +- build with sasl + +* Thu Nov 02 2017 Alexey Shabalin 1.5.2-alt1 +- 1.5.2 +- build with seccomp + +* Thu Jul 20 2017 Alexey Shabalin 1.4.39-alt1 +- 1.4.39 + +* Wed Jun 14 2017 Alexey Shabalin 1.4.37-alt1 +- 1.4.37 + +* Wed Mar 22 2017 Alexey Shabalin 1.4.36-alt1 +- 1.4.36 + +* Mon Feb 27 2017 Alexey Shabalin 1.4.35-alt1 +- 1.4.35 + +* Mon Feb 13 2017 Alexey Shabalin 1.4.34-alt1 +- 1.4.34 + +* Wed Nov 02 2016 Alexey Shabalin 1.4.33-alt1 +- 1.4.33 +- fixed CVE-2016-8705,CVE-2016-8704,CVE-2016-8706 +- update systemd unit + +* Wed Jun 15 2016 Lenar Shakirov 1.4.13-alt4 +- Systemd unit file fixed + +* Thu Nov 28 2013 Eugeny A. Rostovtsev (REAL) 1.4.13-alt3.1 +- Fixed build + +* Tue May 15 2012 Vitaly Kuznetsov 1.4.13-alt3 +- Fix systemd unit file (ALT #27335) + +* Sat May 05 2012 Vitaly Kuznetsov 1.4.13-alt2 +- Add systemd unit file + +* Mon Mar 26 2012 Vitaly Kuznetsov 1.4.13-alt1 +- 1.4.13 + +* Wed Nov 23 2011 Vitaly Kuznetsov 1.4.10-alt1 +- 1.4.10 + +* Mon Sep 19 2011 Vitaly Kuznetsov 1.4.7-alt1 +- 1.4.7 + +* Tue Aug 02 2011 Vitaly Kuznetsov 1.4.6-alt1 +- 1.4.6 + +* Mon Jun 27 2011 Dmitry V. Levin 1.4.5-alt6 +- Packaged auxiliary scripts in separate subpackage. + +* Thu Jun 16 2011 Dmitry V. Levin 1.4.5-alt5 +- Fixed lowering privileges and pidfile writing. +- Rewritten startup script. +- Replaced /etc/memcached.conf with /etc/sysconfig/memcached +- Packaged %%name-devel as noarch. + +* Tue Jun 14 2011 Vitaly Kuznetsov 1.4.5-alt4 +- fix VERSION UNKNOWN error + +* Mon Mar 21 2011 Vitaly Kuznetsov 1.4.5-alt3 +- Add memcached package to devel's Requires (ALT #25264) + +* Mon Nov 08 2010 Vitaly Kuznetsov 1.4.5-alt2 +- Fix type-punning issues exposed with GCC 4.5.1 + +* Wed Oct 06 2010 Vitaly Kuznetsov 1.4.5-alt1 +- 1.4.5 (ALT #23996) +- CVE-2010-1152 + +* Mon Sep 28 2009 Denis Klimov 1.4.1-alt1 +- new version (Closes: #20835) +- add devel subpackage + +* Tue May 05 2009 Denis Klimov 1.2.8-alt1 +- new version +- critial bug fix leak memory from /proc/self/maps (ALT #19916) +- remove packager tag +- not package needless scripts + +* Fri Aug 08 2008 Denis Klimov 1.2.6-alt1 +- new version +- remove needless -q key for setup macros +- fix use pkg_group instead pkg_user +- remove include sysconfig file in init script + +* Sat Jun 02 2007 L.A. Kostis 1.2.2-alt1 +- new version from 1.2 branch (fix ALT #11932). +- build with threads support. +- add packager field. +- add debug switch for testing purposes (disabled by default). + +* Wed Nov 02 2005 LAKostis 1.1.12-alt1 +- first build for ALTLinux. + diff --git a/memcached.sysconfig b/memcached.sysconfig new file mode 100644 index 0000000..54f0f81 --- /dev/null +++ b/memcached.sysconfig @@ -0,0 +1,15 @@ +# These defaults will be used by every memcached instance, unless overridden +# by values in /etc/sysconfig/memcached. +# Parameters for memcached daemon. +# See memcached(1) for more details. + +RUNAS="memcached" +LISTEN="127.0.0.1" +MAXCONN="1024" +CACHESIZE="64" +EXTRAOPTIONS="" + +# The PORT variable will only be used by memcached.service, not by +# memcached@xxxxx services, which will use the xxxxx +PORT="11211" + diff --git a/memcached@.service b/memcached@.service new file mode 100644 index 0000000..4a7ad53 --- /dev/null +++ b/memcached@.service @@ -0,0 +1,44 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during upgrades. If you want to customize, the best +# way is to use the "systemctl edit" command to create an override unit. +# +# For example, to pass additional options, create an override unit +# (as is done by systemctl edit) and enter the following: +# +# [Service] +# Environment=LISTEN="127.0.0.1,::1" +# Environment=EXTRAOPTIONS="--threads=8" +# +# To use the "instanced" version of this, just start 'memcached@11211' or +# whatever port you'd like. If /etc/sysconfig/memcached. exists, it +# will be read first, so you can set different parameters for a given +# instance. + +[Unit] +Description=memcached daemon +Before=httpd2.service +After=network.target + +[Service] +EnvironmentFile=/etc/sysconfig/memcached +EnvironmentFile=-/etc/sysconfig/memcached.%i +ExecStart=/usr/bin/memcached -u $RUNAS -l $LISTEN -p %i -m $CACHESIZE -c $MAXCONN $EXTRAOPTIONS + +PrivateTmp=true +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictRealtime=true +estrictNamespaces=true + + +[Install] +WantedBy=multi-user.target