Package: memcached Version: 1.1.12-1 Hi Jay!
Memcached offers no authentication or authorization. Any client that makes a connection has full read-write access to all its data. Its philosophy is that authorization slows things down, and that the administrator is responsible for securing access. This almost always means the administrator must ensure the machine running memcached is firewalled. The package's memcached.conf file makes reference to this, but comes configured to listen on all interfaces: # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. # -l 12.34.56.78 The configuration should instead be as secure as reasonably possible by default. An administrator who has taken the appropriate security precautions can edit the configuration file to listen on more interfaces, but by default, memcached should listen only on the loopback interface. There are still security implications that administrators should be aware of, but a local issue is always better than a remote issue. It will be harder for a careless admin to get in trouble if the cache doesn't come with full access to the intranet or internet. I would suggest: # Specify which IP address to listen on. The default is to listen only on localhost. # This parameter is the only real security measure that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1 BTW, I don't know if you're still on the memcached mailing list but a new version for preliminary testing just got posted, so there may be something new for you in a couple of weeks or something. -- Jamie McCarthy http://mccarthy.vg/ [EMAIL PROTECTED]
