diff options
author | Craig Andrews <candrews@integralblue.com> | 2016-08-08 11:56:19 -0400 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2016-08-11 14:46:10 -0700 |
commit | 902df5e5ff98533e85dd1766e471e7c1c45af5eb (patch) | |
tree | 05710bf43773e704f4a43a450bc20a41756d792f /scripts | |
parent | 6fee85996d5dceb269fac590d2d06a19996b8aee (diff) | |
download | memcached-902df5e5ff98533e85dd1766e471e7c1c45af5eb.tar.gz |
Add MemoryDenyWriteExecute to the systemd service
MemoryDenyWriteExecute=true will prevent attempts to create memory mappings that are both writable and executable at the same time. This option improves service security, as it makes harder for software exploits to change running code dynamically.
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/memcached.service | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/scripts/memcached.service b/scripts/memcached.service index 0076d84..a96445b 100644 --- a/scripts/memcached.service +++ b/scripts/memcached.service @@ -36,5 +36,9 @@ PrivateDevices=true # Required for dropping privileges and running as a different user CapabilityBoundingSet=CAP_SETGID CAP_SETUID +# Attempts to create memory mappings that are writable and executable at the same time, +# or to change existing memory mappings to become executable are prohibited. +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target |