no security at application level?
Brad Fitzpatrick
brad@danga.com
Wed, 22 Oct 2003 15:51:24 -0700 (PDT)
Correct.
The rationale is:
-- anybody needing memcached has a ton of machines, or at
least understands security and has a private network.
-- the point of memcached is to be fast. auth slows it down.
I suppose this should be documented, though.
If you want to write up a doc/security.txt, discussing both TCP level
filtering and the -u option (that we force users to drop root), that'd be
helpful, and I'll get it in the next release.
- Brad
On Wed, 22 Oct 2003, Joshua Haberman wrote:
> I want to be sure that I'm not missing something. It appears that
> memcached offers no form of authenticating or authorizing connections,
> so any security of this type need to be performed at the TCP level ie.
> through firewalling. Is that correct?
>
> Josh
>
>