brian at tangent.org
Thu Jan 31 20:59:38 UTC 2008
On Jan 30, 2008, at 12:03 PM, Tomash Brechko wrote:
> The DNS fear is stretched too far. You are basically saying that one
> should never ever bind to site-local address because there's a
> possibility that it is visible form the outside, and is not protected
Because bad setups never occur with DNS? A sysadmin never binds a
public address to an internal and external device, not realizing that
is some program comes along it will be exposed to the outside world?
Memcached has no password protection, so doesn't it make sense to have
an ounce more protection? (and it is not like memcached is designed to
be a mutli-listener... and getaddrinfo() returns even junk like
AF_UNIX on older glibc).
I can patch it to bail on multi available, but that will cause older
glibc() to toss any binding (and the FreeBSD 4.x guys will be
submitting a patch later to just ignore all all entries past the first
when they hit this problem).
> by the firewall. But why you bind to the first address then? As the
> second Drepper's paper says, there's _no guarantee_ that the first
> address is the right one, or not the site-local one. Anyways, I can't
> add more arguments here apart from citing Drepper again:
> The most important thing when using getaddrinfo is that all results
> are used in order. To stress the important words again: all and
> order. Too many (incorrect) programs only use the first result.
> Hope you know what you are doing (and to be frank, hope this won't get
> to memcached ;)).
>> OSX 10.5 has issues with IPv6 and binding for UDP right now, which is
>> why I left it that way (but then 10.5).
>> I've never found an authoritative that says you can get away with
>> setting IPPROT and not SOCK (or vice versa).
> At least on Linux, man 7 tcp begins with
> tcp_socket = socket(PF_INET, SOCK_STREAM, 0);
> example. POSIX says,
> Specifies a particular protocol to be used with the socket.
> Specifying a protocol of 0 causes socket() to use an unspecified
> default protocol appropriate for the requested socket type.
> I thought is is customary to specify zero protocol number, and let the
> system choose the appropriate. But alright, if you prefer to
> hard-code it, it won't make any harm. Not in the near future at
> As everything has been said, I let the one to push the patch to
> decide on
> one vs many address issue ;).
> Tomash Brechko
Brian "Krow" Aker, brian at tangent.org
http://krow.net/ <-- Me
http://tangent.org/ <-- Software
http://exploitseattle.com/ <-- Fun
You can't grep a dead tree.
More information about the memcached