memcached has never claimed to be "secure" in the sense you're thinking. It's a domain specific application that was designed the lightest way possible with certain expectations of its usage.
Do you also want mysql to spit out a warning if its listening on a public ip? Do you want your webserver to spit out a notice when its not listening on a public ip? Some people need the "for external use only" type warnings but honestly if you don't grok the basics of server administration then you shouldn't be in a position to do it. Or, fork memached (you're totally allowed to) and make a version that offers kid gloves. Notices on startup reminding you about IP address binding (even though the config file makes it very clear how to bind) a username/password in the protocol (slowing it down an negating the original purpose) and why not also remind the admin to take a shower or eat a healthy breakfast while you're at it. On Aug 7, 2010, at 7:45 AM, samwyse <[email protected]> wrote: > So you don't think it's a good idea to warn idiot sysadmins if they > set up memcached in the one way it was never ever ever intended to be > setup? I disagree. If people would RTFM, we wouldn't need the > acronym. Checking the address that is being bound would only incur a > cost at startup, and could help the users of sites that hire idiot > sysadmins (who have plenty of ways to get themselves fired without > risking other people's personal information). > > On Sat, Aug 7, 2010 at 8:54 AM, Brian Moon <[email protected]> wrote: >> On 8/7/10 7:09 AM, samwyse wrote: >>> >>> I've just now suggested this on Slashdot: At startup, issue a big >>> multi-line warning if the IP addresses that are getting bound aren't >>> on the loopback address or a private internet. The private internets >>> are defined in RFC 1918 as: >>> >>> 10.0.0.0 - 10.255.255.255 (10/8 prefix) >>> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) >>> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) >> >> That would be a knee jerk reaction to a poorly worded headline on Slashdot >> because some idiot sysadmins at some high profile sites should be fire for >> setting up memcached in the one way it was never ever ever intended to be >> setup. >> >> -- >> >> Brian. >> -------- >> http://brian.moonspot.net/ >>
