Toru,
The problem with iptables is that is only protects based on a host/
port combination.
If I have a shared server with 400 people having their own hosted
directory in Apache, with iptables I can certainly restrict my
memcached instance to only accept connections from that server. But
any one of the valid 400 users on that server will have full access to
all the information in the my memcached instance.
All iptables has done is protect the *machine* that can access the
information, not the *user* that can access the information.
MC
On 28 Oct 2009, at 03:04, Toru Maesaka wrote:
Awesome! Thanks for clarifying things.
Makes sense considering the growing popularity of shared networks.
However, here's my humble comment on this use-case... can't people
just use iptables for protecting their memcached host/port in a shared
network? or is this feature intended for people that has very limited
freedom over the infrastructure?
Cheers,
Toru
On Tue, Oct 27, 2009 at 1:09 AM, Dustin <[email protected]> wrote:
On Oct 26, 1:33 am, Toru Maesaka <[email protected]> wrote:
From chasing the commit log and reading Trond's blog entry, I
noticed
that we're throwing in SASL support to memcached.
I guess this is to make it friendlier to deploy memcached on an
untrusted network (e.g. Amazon's EC2) but I wanted to hear what the
actual deciding factor was. You know, personal curiosity and to keep
record of this feature discussion in the community mailing list.
Hey,
Thanks for starting this. I was trying to get a few things together
on the wiki and had pretty much forgotten about the list. :/
Your guess is pretty much it, though... there have been some really
awful deployments. The worst I've personally heard of was at an ISP
that offers both VPS and shared web hosting services where customers
would apparently commonly get a VPS instance just to run memcached
and
connect to it from the shared web servers. Effectively, anyone with
access to this service (i.e. anyone) can fairly easily rummage
through / manipulate anyone else's cache.
As a bonus, the code already existed. We'd talked about it a long
time ago and I built some stuff that worked then, but just got around
to cleaning it up enough to go (you can see the commits are from
early
May).
I don't think the documentation is *awesome* yet, but I've got the
higher level howto and protocol spec on the wiki:
http://code.google.com/p/memcached/wiki/SASLHowto
http://code.google.com/p/memcached/wiki/SASLAuthProtocol
--
Toru Maesaka <[email protected]>
--
Martin MC Brown, Technical Writer
MySQL and Infrastructure Group, Sun Microsystems
http://sun.com | http://mysql.com
Phone: x18435/+44 247 669 8435 Skype: mcmcslp
