password protection

Richard Thomas lists at cyberlot.net
Tue Oct 18 07:47:32 PDT 2005


The data is in memory regardless of what you do if someone has root 
access to your server they can read it period.

I think you should treat it just like you would any other database, if 
there is data that is that important it needs to be encrypted, It needs 
to be locked down as much as possible for outside access.

The thing is before you even considered adding some sort of login and 
password to memcache you would have to add SSL support otherwise the 
user of a login and password is well useless from a true security 
standpoint.

If all else fails, maybe just use memcache as a offload for the 
database, cache all non vital information and leave the important stuff 
up the the DB?

As to buffer overflows do you not check and filter all user input before 
sending it off to any database? You should do the same thing for 
memcached..



Richard Thomas - CEO
Cyberlot Technologies Group Inc.
507.398.4124 - Voice


Casper Langemeijer wrote:
> Hi all!
> 
> I plan on using memcached for a new project, but I've got one big 
> thing to consider: security. This ofcourse should be a big thing in 
> software development anyway, but I work for a company that is ISO 
> certified for security. For me it is an even bigger concern.
> 
> 1. I've found no way of ensuring the data is read only by my application.
> 
> I though off:
> 
> - encrypting the data I put into memcached, this I obviously dismissed 
> because this would make caching too slow.
> - using UNIX domain sockets (a socket file) to connect to memcached. This 
> would enable me to use UNIX file permissions to 'secure' memcached a bit. 
> I see no real pitfalls here, except that it limits me to use memcached 
> only on the local machine, and I might want to use dedicated caching 
> machines somewhere along the line...
> 
> Is there a plan to add some form of password protection to memcached? 
> 
> As there probably isn't, what is the best way to go for me? The only 
> thing I can think of is to add this feature to memcached myself, something 
> I am very well willing to do. Are there other people around here that have 
> some idea of how to implement a thing like this?
> If I'm going to add a feature, I like to make it more generally usable and 
> someone else might benefit from my work...
> 
> 
> Finally, I wonder if someone of you can make some statement about this 
> daemons security? I would never run this daemon on a publicly accesable 
> port that's obvious, but what about buffer overflow risks and the such?
> 
> 
> Thanks for your time,
> 
> Casper Langemeijer


More information about the memcached mailing list