1# It's not recommended to modify this file in-place, because it will be
2# overwritten during upgrades.  If you want to customize, the best
3# way is to use the "systemctl edit" command to create an override unit.
4#
5# For example, to pass additional options, create an override unit
6# (as is done by systemctl edit) and enter the following:
7#
8#     [Service]
9#     Environment=OPTIONS="-l 127.0.0.1,::1"
10#
11# To use the "instanced" version of this, just start 'memcached@11211' or
12# whatever port you'd like. If /etc/sysconfig/memcached.<port> exists, it
13# will be read first, so you can set different parameters for a given
14# instance.
15
16[Unit]
17Description=memcached daemon
18After=network.target
19
20[Service]
21EnvironmentFile=/etc/sysconfig/memcached
22EnvironmentFile=-/etc/sysconfig/memcached.%i
23ExecStart=/usr/bin/memcached -p %i -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
24
25# Set up a new file system namespace and mounts private /tmp and /var/tmp
26# directories so this service cannot access the global directories and
27# other processes cannot access this service's directories.
28PrivateTmp=true
29
30# Mounts the /usr, /boot, and /etc directories read-only for processes
31# invoked by this unit.
32ProtectSystem=full
33
34# Ensures that the service process and all its children can never gain new
35# privileges
36NoNewPrivileges=true
37
38# Sets up a new /dev namespace for the executed processes and only adds API
39# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
40# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
41PrivateDevices=true
42
43# Required for dropping privileges and running as a different user
44CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
45
46# Restricts the set of socket address families accessible to the processes
47# of this unit. Protects against vulnerabilities such as CVE-2016-8655
48RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
49
50
51# Some security features are not in the older versions of systemd used by
52# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
53# build time to uncomment them if the target platform supports them.
54
55# Attempts to create memory mappings that are writable and executable at
56# the same time, or to change existing memory mappings to become executable
57# are prohibited.
58##safer##MemoryDenyWriteExecute=true
59
60# Explicit module loading will be denied. This allows to turn off module
61# load and unload operations on modular kernels. It is recommended to turn
62# this on for most services that do not need special file systems or extra
63# kernel modules to work.
64##safer##ProtectKernelModules=true
65
66# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
67# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
68# will be made read-only to all processes of the unit. Usually, tunable
69# kernel variables should only be written at boot-time, with the sysctl.d(5)
70# mechanism. Almost no services need to write to these at runtime; it is hence
71# recommended to turn this on for most services.
72##safer##ProtectKernelTunables=true
73
74# The Linux Control Groups (cgroups(7)) hierarchies accessible through
75# /sys/fs/cgroup will be made read-only to all processes of the unit.
76# Except for container managers no services should require write access
77# to the control groups hierarchies; it is hence recommended to turn this
78# on for most services
79##safer##ProtectControlGroups=true
80
81# Any attempts to enable realtime scheduling in a process of the unit are
82# refused.
83##safer##RestrictRealtime=true
84
85# Takes away the ability to create or manage any kind of namespace
86##safer##RestrictNamespaces=true
87
88[Install]
89WantedBy=multi-user.target
90