[Pushmi-users] memcached and security

bremner at unb.ca bremner at unb.ca
Thu Sep 6 09:34:09 EDT 2007


Memcached has no authentication or access control mechanisms, although
the latest version claims it can listen on a unix domain socket.

In the default debian installation of memcached, memcached listens on
127.0.0.1, so your are "only" exposed to users on the same host.  

Can anyone clarify the security implications of the way that pushmi
uses memcached? How badly can a hostile user mess things up?

I guess I don't completely understand what pushmi is using memcached
for, as the following question probably reveals.

Would it make sense to have pushmi spawn its own copy of memcached
(listening on a unix domain socket owned by the same user)?  The
overhead would seem to be small relative to the amount of time spent
waiting for the network.

All the best,

David





More information about the Pushmi-users mailing list