1# It's not recommended to modify this file in-place, because it will be
2# overwritten during upgrades.  If you want to customize, the best
3# way is to use the "systemctl edit" command to create an override unit.
4#
5# For example, to pass additional options, create an override unit
6# (as is done by systemctl edit) and enter the following:
7#
8#     [Service]
9#     Environment=OPTIONS="-l 127.0.0.1,::1"
10
11
12[Unit]
13Description=memcached daemon
14After=network.target
15
16[Service]
17EnvironmentFile=/etc/sysconfig/memcached
18ExecStart=/usr/bin/memcached -p ${PORT} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} $OPTIONS
19
20# Set up a new file system namespace and mounts private /tmp and /var/tmp
21# directories so this service cannot access the global directories and
22# other processes cannot access this service's directories.
23PrivateTmp=true
24
25# Mounts the /usr, /boot, and /etc directories read-only for processes
26# invoked by this unit.
27ProtectSystem=full
28
29# Ensures that the service process and all its children can never gain new
30# privileges
31NoNewPrivileges=true
32
33# Sets up a new /dev namespace for the executed processes and only adds API
34# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
35# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
36PrivateDevices=true
37
38# Required for dropping privileges and running as a different user
39CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
40
41# Restricts the set of socket address families accessible to the processes
42# of this unit. Protects against vulnerabilities such as CVE-2016-8655
43RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
44
45
46# Some security features are not in the older versions of systemd used by
47# e.g. RHEL7/CentOS 7. The below settings are automatically edited at package
48# build time to uncomment them if the target platform supports them.
49
50# Attempts to create memory mappings that are writable and executable at
51# the same time, or to change existing memory mappings to become executable
52# are prohibited.
53##safer##MemoryDenyWriteExecute=true
54
55# Explicit module loading will be denied. This allows to turn off module
56# load and unload operations on modular kernels. It is recommended to turn
57# this on for most services that do not need special file systems or extra
58# kernel modules to work.
59##safer##ProtectKernelModules=true
60
61# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
62# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
63# will be made read-only to all processes of the unit. Usually, tunable
64# kernel variables should only be written at boot-time, with the sysctl.d(5)
65# mechanism. Almost no services need to write to these at runtime; it is hence
66# recommended to turn this on for most services.
67##safer##ProtectKernelTunables=true
68
69# The Linux Control Groups (cgroups(7)) hierarchies accessible through
70# /sys/fs/cgroup will be made read-only to all processes of the unit.
71# Except for container managers no services should require write access
72# to the control groups hierarchies; it is hence recommended to turn this
73# on for most services
74##safer##ProtectControlGroups=true
75
76# Any attempts to enable realtime scheduling in a process of the unit are
77# refused.
78##safer##RestrictRealtime=true
79
80# Takes away the ability to create or manage any kind of namespace
81##safer##RestrictNamespaces=true
82
83[Install]
84WantedBy=multi-user.target
85