no security at application level?

Anatoly Vorobey mellon@pobox.com
Thu, 23 Oct 2003 00:55:25 +0200


On Wed, Oct 22, 2003 at 03:32:34PM -0700, Joshua Haberman wrote:
> I want to be sure that I'm not missing something.  It appears that
> memcached offers no form of authenticating or authorizing connections,
> so any security of this type need to be performed at the TCP level ie.
> through firewalling.  Is that correct?

Yes. Perhaps the docs don't stress that enough, I'm not sure, but this
is hugely important to remember:

NO AUTHENTICATION WHATSOEVER.

Small installations running memcached on publicly accessible servers
*must* take care not to allow unauthorised connections. This would
usually be done through using a private network which large 
installations typically use anyway. Small installations which use 
memcached should set up firewalling instructions carefully. memcached
also has a command-line option to listen on a particular interface only,
which may help to admins who set up their machines with >1 network 
interface.

--
avva