August 7, 2009

memcached AMI security

One other feature we were able to easily put in place leverages security capabilities in OpenSolaris.  In the Solaris least privilege model, a process can take privs away from itself.  Why would it do that?

It's well known that one security exploit vector for C code is to find a problem with memory handling, then use that to run another process on the system via a stack smash.  memcached on OpenSolaris is privilege aware and takes those privs away from itself: root@domU-12-31-39-00-69-B3:/var# ppriv `pgrep memcached` 229:    /usr/local/bin/memcached -u noaccess -L -m 676 flags = PRIV_AWARE     E: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session     I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session     P: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session     L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session As the ppriv command there shows, memcached has taken away file link/fork/exec/info/session privs away from itself.

Comments