no security at application level?
Anatoly Vorobey
mellon@pobox.com
Thu, 23 Oct 2003 00:55:25 +0200
On Wed, Oct 22, 2003 at 03:32:34PM -0700, Joshua Haberman wrote:
> I want to be sure that I'm not missing something. It appears that
> memcached offers no form of authenticating or authorizing connections,
> so any security of this type need to be performed at the TCP level ie.
> through firewalling. Is that correct?
Yes. Perhaps the docs don't stress that enough, I'm not sure, but this
is hugely important to remember:
NO AUTHENTICATION WHATSOEVER.
Small installations running memcached on publicly accessible servers
*must* take care not to allow unauthorised connections. This would
usually be done through using a private network which large
installations typically use anyway. Small installations which use
memcached should set up firewalling instructions carefully. memcached
also has a command-line option to listen on a particular interface only,
which may help to admins who set up their machines with >1 network
interface.
--
avva