On Sun, May 04, 2008 at 09:56:48AM +0200, Sahid Ferdjaoui wrote: > hello sylvain > > "<Beuc> I'm checking how we can setup memcached at Savannah, securely. > If anybody can issue a connection to memcached an alter the cache, and > if users&groups are cached, he could alter the project membership :/" > > we configure the server memcached to accept only requests of > application servers, > with iptable, no ?
Yes, but at Savannah we use Linux VServer to run several independent systems at once. This means we need to make sure only 1 of those systems can access memcached, and reject the other systems, even if they are running on the same hardware :) Technically, nobody has local access to any of those vservers but, if this ever happens for a reason or another (e.g. improperly secured VCS hooks), I'd like to block privilege escalation. -- Sylvain
