Project server should only bind to localhost by default
Closedopened 6 years ago by rrthomas · 7 comments
Reference in New Issue
There is no content yet.
Delete Branch '%!s(<nil>)'
Deleting a branch is permanent. It CANNOT be undone. Continue?
In the documentation you point out that the project server is insecure.
For the commonest case (wanting to test on machine running the project server) this could be largely mitigated by having it bind only to localhost.
Of course, it would then be useful to allow it to be reconfigured for other uses (classroom, collaboration &c.).
Is this hard or otherwise undesirable?
You can expect that this will remain biased toward my view of the “commonest” case: I often like to run the project server and view the site on machines nearby (e.g., iPhone, virtualized Windows, etc)
That said, it’s easy to adjust the project server’s behavior with the
#:listen-ipargument to restrict the server to
localhost. I suppose there would be three choices:
Introduce a new
setupvalue to control this.
Introduce a new switch for
raco pollen startto control this.
setupvalue seemed like overkill. If you do
raco pollen start --localthen the project server will be restricted to localhost.
Thanks for the switch and for documenting it.
However, it is the wrong way round: the server is insecure by default. Yes, this is documented, but that's not an excuse. Bugs in the server or elsewhere could cause the local user serious problems that are impossible if the server is listening only on a localhost address, and it's also easier, with this being the default behavior, to do it by mistake, e.g. with a typo.
Please think again!
What would be a common, practical case where this specific risk arises?
I don't think that is the right way to think about security. Security flaws often involve uncommon and impractical cases.
However, I'm thinking of for example leaking a file in the same directory containing confidential information, or bugs in, say, racket, glibc and/or the kernel that allow a remote exploit. (In other words, an exploit to which one would be exposed if one were using the server entirely "properly". But again, I think that is something one should have to think and type to do, not think and type not to do.)
I appreciate your views. Perhaps I will revisit this issue in the future. For now, I’m satisfied with how it works.
Thanks for listening!