no security at application level?

Brad Fitzpatrick brad@danga.com
Wed, 22 Oct 2003 15:51:24 -0700 (PDT)


Correct.

The rationale is:

   -- anybody needing memcached has a ton of machines, or at
      least understands security and has a private network.

   -- the point of memcached is to be fast.  auth slows it down.

I suppose this should be documented, though.

If you want to write up a doc/security.txt, discussing both TCP level
filtering and the -u option (that we force users to drop root), that'd be
helpful, and I'll get it in the next release.

- Brad


On Wed, 22 Oct 2003, Joshua Haberman wrote:

> I want to be sure that I'm not missing something.  It appears that
> memcached offers no form of authenticating or authorizing connections,
> so any security of this type need to be performed at the TCP level ie.
> through firewalling.  Is that correct?
>
> Josh
>
>