From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: =?UTF-8?Q?Aleix_Conchillo_Flaqu=C3=A9?= Newsgroups: gmane.lisp.guile.devel Subject: Re: [PATCH] web: default to INADDR_ANY instead of INADDR_LOOPBACK Date: Fri, 22 Jul 2022 10:14:54 -0700 Message-ID: References: <20220203002638.34504-1-aconchillo@gmail.com> <8d7255ee-07b2-bd66-2e33-75c8d112756e@telenet.be> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000bad45e05e467f9d8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="20219"; mail-complaints-to="usenet@ciao.gmane.io" Cc: guile-devel To: Maxime Devos Original-X-From: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Fri Jul 22 19:15:43 2022 Return-path: Envelope-to: guile-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oEwFb-00051Y-J2 for guile-devel@m.gmane-mx.org; Fri, 22 Jul 2022 19:15:43 +0200 Original-Received: from localhost ([::1]:48300 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oEwFa-0001Pb-JL for guile-devel@m.gmane-mx.org; Fri, 22 Jul 2022 13:15:42 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:41730) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oEwF3-0001Kh-1K for guile-devel@gnu.org; Fri, 22 Jul 2022 13:15:09 -0400 Original-Received: from mail-vk1-xa2c.google.com ([2607:f8b0:4864:20::a2c]:36801) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oEwF1-0002N7-8q for guile-devel@gnu.org; Fri, 22 Jul 2022 13:15:08 -0400 Original-Received: by mail-vk1-xa2c.google.com with SMTP id o10so2356793vkl.3 for ; Fri, 22 Jul 2022 10:15:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mbU+MBaVt/AufLDh25T2FGg154l7RHagWXOzpEFGU5o=; b=p77gjcQ08ViBX2+DPuG1MrYWbDwVuDEP+A2CIVefQBOVvPXLnzqiKEwYM+suvz/pCd eGXFtIrHmM5Vijc5l/fdj18dIlYyX++X/Jkz407xnCHpz9rKcHiTC33We2vWn41iTy4f xJ2/KVDECV08Ix9lSNyjjki5nDeWFBshfD0ALWt2U4xozOczcrvS0ouMrr75MY8ALtBP xKWvlTAIGe8uCocQ8r8bvZ8qKixoPhLl4oKZwmLkOc+aRCrxKjWlDX607RBywuU2gu++ JjnpwhV22lnQCzcrryEzdnTJHwb08j7V1rutS/zPYDvBX4ML+0zTmF0CmrmlyKbZqLBV xmWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mbU+MBaVt/AufLDh25T2FGg154l7RHagWXOzpEFGU5o=; b=Y1RQgIYCagit6KAdOvy+jCaVJOTyiuz8O6vKsOssPumZIHybVijlbyeq3W+cqzrx4v 8KDLpMDNaRiyff8B4hSDE49nApqVf5FpkZDxmf4isU6NgAbzRDnLfXJrdHRjyfiT6uPG Ek8Hkw7BfnXe30bK7IFNnnzcFxA46RKW4IXIUzHrkf/yHvdBIdZEpBmMgZeksamcWWc8 wDFdDpIcqPizzKYBnP5kLqlXe8tZ9OE4tguK50I0GdzbQb2b9cqt12FaPOS+PrPEly37 RpRYuzNuhkGik3+qFo/+HK8sFXvl4s2nCTHT29SvtqM1SbuFfZrwS72ovhL2+w8T4Do1 T3ug== X-Gm-Message-State: AJIora8v9LYCE2OtnhLOkl23Uvv4WZmbI6QrAtnZfMKQcQVnGQFIqUmQ 85tYbjgwc4CODnXySmq5wc0UdiOckU/tEFcdRwU= X-Google-Smtp-Source: AGRyM1s4//rtpBe65bsGAhSeCf6gFHaxqYSt7yOMG/ZfUzB6DrXcVpw0VKGE8Ll75SkY9KmRo/DaHWmbencbvx1DQYo= X-Received: by 2002:ac5:cc79:0:b0:374:9eec:9326 with SMTP id w25-20020ac5cc79000000b003749eec9326mr325302vkm.20.1658510106087; Fri, 22 Jul 2022 10:15:06 -0700 (PDT) In-Reply-To: <8d7255ee-07b2-bd66-2e33-75c8d112756e@telenet.be> Received-SPF: pass client-ip=2607:f8b0:4864:20::a2c; envelope-from=aconchillo@gmail.com; helo=mail-vk1-xa2c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.io gmane.lisp.guile.devel:21267 Archived-At: --000000000000bad45e05e467f9d8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thank you Maxime, On Fri, Jul 22, 2022 at 2:44 AM Maxime Devos wrote= : > On 22-07-2022 02:44, Aleix Conchillo Flaqu=C3=A9 wrote: > > ping. easy one but might be more controversial. > > On Wed, Feb 2, 2022 at 4:26 PM Aleix Conchillo Flaqu=C3=A9 < > aconchillo@gmail.com> wrote: > >> Using INADDR_ANY instead of INADDR_LOOPBACK makes it convenient when >> starting the web server inside containers > > I don't see what containers have to do with anything? If you want it to > access the Internet, just don't do a network container (don't create a ne= w > network namespace). Or to reduce access, do create a new network namespa= ce > but set up port forwarding (which I would expect to work with loopback). > Now that I read it again, I have no clue what containers have to do with this either, especially because I never run Guile in a container... So, forget about the container reference. > without the need to having to >> specify INADDR_ANY all the time. >> > I don't recommend this as a default, as it opens up potential security > problems (some programs open a web server for local communication on the > computer). INADDR_LOOPBACK is a safe default, anyone needing something el= se > and knowing their use is safe can easily override to INADDR_ANY. > > This is the default in most libraries and languages. > > Is ad populum. Plenty of bad choices have been made in the past, see e.g. > all the CVEs, so I don't think this is a good argument. (It is an argume= nt > if you are switching to INADDR_ANY for _consistency_, but the patch appea= rs > to be for other purposes.) > > Makes sense. Thank you for the reply! Best, Aleix --000000000000bad45e05e467f9d8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thank you Maxime,

On Fri, Jul 22,= 2022 at 2:44 AM Maxime Devos <maximedevos@telenet.be> wrote:
=20 =20 =20

On 22-07-2022 02:44, Aleix Conchillo Flaqu=C3=A9 wrote:

ping. easy on= e but might be more controversial.

On Wed, Feb 2, 2022 at 4:26 P= M Aleix Conchillo Flaqu=C3=A9 <aconchillo@gmail.com> wrote:
Using INADDR_ANY instead of INADDR_LOOPBACK makes it convenient when starting the web server inside containers
I don't see what containers have to do with anything? If you want i= t to access the Internet, just don't do a network container (don'= t create a new network namespace).=C2=A0 Or to reduce access, do create a new network namespace but set up port forwarding (which I would expect to work with loopback).

Now that I read it again, I have no clue what containers have to do wi= th this either, especially because I never run Guile in a container... So, = forget about the container reference.

=C2=A0
without the need to having to
specify INADDR_ANY all the time.

I don't recommend this as a default, as it opens up potential security problems (some programs open a web server for local communication on the computer). INADDR_LOOPBACK is a safe default, anyone needing something else and knowing their use is safe can easily override to INADDR_ANY.

This is the default in most libraries a= nd languages.
Is ad populum. Plenty of bad choices have been made in the past, see e.g. all the CVEs, so I don't think this is a good argument.= =C2=A0 (It is an argument if you are switching to INADDR_ANY for _consistency_, but the patch appears to be for other purposes.)


Makes sense. Thank you f= or the reply!

Best,

Aleix

--000000000000bad45e05e467f9d8--