extend --profile cmd line option to allow interface to be specified #838
Conversation
|
I like this. I am just wondering if the default should be to listen on localhost only... |
|
I agree with @dajohi. Just like the RPC server, this should should only listen on localhost by default. That was a big reason it only allowed a port to begin with back in the early days. I agree with being able to specify other interfaces though as that is quite reasonable for certain setups, but it shouldn't expose your process to the world by default. |
|
Thanks for the input! I was thinking the same, but I'm conservative on breaking changes. Is localhost or 127.0.0.1 better to use?
My immediate inclination is to use "localhost", however by specifying "127.0.0.1" there is an in-theory small hardening in security, as hosts can be edited on several platforms - I remember in years gone by on older versions of Windows editing my hosts file a bit.
I'll go with 127.0.0.1 unless there is other feedback.
… On 6 Sep 2017, at 9:52 am, Dave Collins ***@***.***> wrote:
I agree with @dajohi. Just like the RPC server, this should should only listen on localhost by default. That was a big reason it only allowed a port to begin with back in the early days.
I agree with being able to specify other interfaces though as that is quite reasonable for certain setups, but it shouldn't expose your process to the world by default.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
jpz
force-pushed
the
profile_with_interface_option
branch
from
92420b3 to
cb739fd
Compare
|
Yes, |
|
localhost is preferred :) |
|
Can you elaborate - what your rationale for saying localhost is preferred? After reading through the requisite Stackoverflow reading :) the feedback seemed to be that it makes no difference unless we were opening a Unix domain socket, but this is a TCP connection. |
|
localhost will listen on ::1 as well. Using localhost will try ::1 first, then 127.0.0.1 on systems that prefer ipv6. |
|
I prefer to leave it as it is, I think connecting to 127.0.0.1 will always work, and the arguments for hardening against localhost spoofing still stand, even though it's an unlikely attack vector. Still, it's hard to foresee security issues across multiple versions of multiple operating systems. I can just remember working in environments (old Windows NT versions) where the HOSTS file was modifiable. I would only see a need to resolve to an IPv6 address from localhost, if I were running on a platform that doesn't support IPv4 - which is hard to imagine. I can change it if you still think that I should however. |
config.go
Outdated
|
|
||
| // check the Profile is a valid address | ||
| _, portStr, err := net.SplitHostPort(cfg.Profile) | ||
|
|
dcrd.go
Outdated
| dcrdLog.Infof("Creating profiling server "+ | ||
| "listening on %s", listenAddr) | ||
| "listening on %s", cfg.Profile) |
There was a problem hiding this comment.
Please use listenAddr that was just defined as to avoid a source change that doesn't actually change anything.
jpz
force-pushed
the
profile_with_interface_option
branch
from
c0b7539 to
0139cc6
Compare
jpz
force-pushed
the
profile_with_interface_option
branch
from
0139cc6 to
509eed3
Compare
|
done. thanks for the review - squashed and rebased |
Closes #691