Suggestion… secure memcached ? Could it be possible ?
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Richard Hordern
  2. Monday, 06 February 2012
  3.  Subscribe via email
Suggestion… would it be possible to evolve cloudlinux cagefs + memory limiting technology to make a secure shared memcached ?
Rate this post:
  1. 06.02.2012 16:02:40
  2. # 1
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Would it be possible to evolve cloudlinux cagefs + memory limiting technology to make a secure shared memcached ?

We have had some requests recently about offering Mamcached on our shared hosting serveurs.

The answer we have found so far is that anyone on the same server could potentially corrupt other users keys producing in the best cases a slow down for that query and in the worst cases maybe even allow users to change the content on other users sites.

Of course, in a shared hosting environement you would only store plublicly accessible data. I'm not too worried about users deleting other users caches and slowing down their applications, but if someone could have fun changing contents (or even change it by mistake) on another users site, this could be very bad !

CloudLinux allows you to limit how much memory a user can use. Would it be possible to some how not allow users to read or access memory used by another user ? In the same way that CageFS uses the kernel to restrict a user to a virtual environement on the disk… it would defenity be great to be able to do the same in the memory !

If this is not possible, do you have an opinion about using memcached in a shared hosting environement. I've found out that some of the major hosting companies supply shared memcached while others say it would be mad to offer such a thing fr om a security point of view.

We have memory to spare and would love to be able to offer it but dont want to get into a situation wh ere we would have to suddenly stop it and have lots of customers sites configured to use memcached show blank pages !
  1. 06.02.2012 22:02:34
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
IMHO shared memcache is VERY bad.
The way memcache is done -- to make it reliable and secure, you would need to run memcache instance per customer. This way one customer cannot trash cache for other customers. Security wise, you also need to make sure that only customer can connect to that instance.
This should be possible by enabling virtualized networking on per customer bases, so that for example 127.1.0.1 would be routed differently for each LVE, and each customer would be able to get only to its only instance of memcache.

Overall memcache has very small footprint, so it should be possible to do. You can charge extra based on amount of RAM they are using/requesting.

I am starting to get multiple requests for virtualized networking, so we might address the issue sometime during this spring.
  1. 07.02.2012 02:02:15
  2. # 3
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Wow virtualised networking sounds great… !! I can think of other applications for this like for instance lucene/solr based searches that should be able to be limited to a single user with virtual networking.

Do you have any other ideas for virtual networking usages ?
  1. 14.01.2013 09:01:10
  2. # 4
Duplika Accepted Answer
Posts: 10
Joined: 03.12.2012
0
Votes
Undo
@Igor Seletskiy, just to confirm, do you advice against installing and configuring memcached on a shared hosting enviroment using CloudLinux?
  1. 14.01.2013 09:01:03
  2. # 5
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
Any shared instance of memcache (on cloudlinux or anything else) is insecure today.
memcache doens\'t have a way to authenticate
which means that:user1 can read anything user2 \'caches\'
it also means that
user1 can write anything that user2 reads (cache poisoning)

Even with latest version / SASL authentication -- you are authenticating to the whole cache, and can still read/poison someone else\'s data.
  1. 14.01.2013 09:01:16
  2. # 6
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Until CloudLinux implements virtualised networking all memcached users can modify / edit cache of other users on the same server.

When CloudLinux implements virtualised networking it will be possible to manually create a new memcached instance on a new port and only authorise an individual user to access this port.

Would it be possible with CageFS to set memcached to listen to a socket and only allow a single user to that socket ?

Is is even possibilie to add specific sockets for single users ?

Thanks
  1. 14.01.2013 09:01:09
  2. # 7
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
Do you mean unix socket? Does memcache supports unix socket? if it does -- it should be possible to run an instance of memcache per customer in secure way today.
  1. 14.01.2013 10:01:32
  2. # 8
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
I\'ve just run a few searches for this and found :

http://www.rackspace.com/blog/setting-up-memcached-on-cloud-servers/

http://serverfault.com/questions/433240/how-to-set-up-memcached-to-use-unix-socket

How would I give access to memcached socket for a single user ?


http://php.net/manual/en/memcache.connect.php

Says :

host can be set to :

unix:///path/to/memcached.sock

Port must be set to 0 if using unix sockets

:)
  1. 14.01.2013 10:01:54
  2. # 9
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
run memcache as user
put socket in /home/user/.memcache/memcached.sock

it should be secure.
  1. 14.01.2013 11:01:25
  2. # 10
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
I will give this a try as soon as I get a few spare minutes !

It sounds like it could be quite easy to turn into a hook or a plugin in cPanel … :)
  1. 14.01.2013 11:01:45
  2. # 11
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Would this still be secure without CageFS as memcached would be run a different users in different home directories so in theory users wouldn't be able to access each other's sockets… ?
  1. 14.01.2013 11:01:25
  2. # 12
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
Correct. Even without CageFS, it should be secure, if all the permissions are set right.
  1. 14.01.2013 11:01:05
  2. # 13
Duplika Accepted Answer
Posts: 10
Joined: 03.12.2012
0
Votes
Undo
It sounds like it could be quite easy to turn into a hook or a plugin in cPanel … 
+1 to this.
  1. 14.01.2013 13:01:21
  2. # 14
majdi Accepted Answer
Posts: 19
Joined: 17.12.2011
0
Votes
Undo
Does the above apply to APC too ?
  1. 14.01.2013 13:01:46
  2. # 15
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
No, APC is secure due to the way it works.
  1. 28.08.2013 07:08:21
  2. # 16
Sindre Accepted Answer
Posts: 1
Joined: 27.08.2013
0
Votes
Undo
I am very interested in this. I have installed memcached and added a new init script which supports multiple config files in order to run multiple instances - one for each customer. In the config file I specify the path to the socket: /home/user/.memcached/memcached.sock 

Now, I only need to create the ./memcached folder inside each users home directory. How can I accomplish this? I am running CageFS. Do I have to add a configuration file to /etc/cagefs/conf.d or add an entry to /etc/cagefs/cagefs.mp? Or is this something that must be done inside cPanel?

I am new to CloudLinux so I am still learning...

Any advise will be appreciated.
  1. 21.08.2014 06:08:58
  2. # 17
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Hello,

I've just got this working manually with a config file per user that I place in /etc/multimemcached.d/memcache_USERNAME

service multi_memcached [start|restart|status] memcache_USERNAME
Applies a start, restart or a staus to that user's intance


service multi_memcached [start|restart|status]
Starts, restarts or supplys the status for all users

Users can only access their instance of memcached :

Logged in as as user :

echo "stats"|nc -U /home/USERNAME/.memcached/memcached.sock

This only responds for that user's instance and a single user can't access other users instances.

Next step, create a cPanel plugin that creates : /home/$USERNAME/.memcached/run

And adds a config file to /etc/multimemcached.d/memcache_$USERNAME

Then runs :

service multi_memcached start memcache_USERNAME

Seems pretty simple… Any advice from security point of view ? I presume I can only run this with root privileges so I guess the most important thing here is to make sure that only this command can be run (mabe also stop and restart.

I would also like to allow users to get the output of :

echo "stats"|nc -U /home/maquette/.memcached/memcached.sock

and also run :

echo "flush_all"|nc -U /home/maquette/.memcached/memcached.sock

This won't need a privileged user so they will be safe and easy to run.

Now I'm going to start reading about creating my first cPanel plugin !
  1. 23.05.2018 08:05:31
  2. # 18
Michael Holforty Accepted Answer
Posts: 14
Joined: 07.03.2014
0
Votes
Undo
Has anything further been developed to implement this safely and easily per user?
  1. 30.05.2018 10:05:21
  2. # 19
Igor Ghertesco Accepted Answer
Posts: 146
Joined: 07.08.2015
0
Votes
Undo
Hello,

No, besides the suggestions above, no further development was made.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.