Limit access to the daemon to the same user

Question

Limit access to the daemon to the same user

Closed this issue 6 years ago · 4 comments

The Nailgun docs prominently note that:

Before you download it, be aware that it's not secure. Not even close. Although there are means to ensure that the client is connected to the server from the local machine, there is not yet any concept of a "user". Any programs that run in Nailgun are run with the same permissions as the server itself. You have been warned.

A standard approach to improve the security story would be to require that the client passes an authentication token that it reads from a file written by the server (this is often piggybacked on the file used for port discovery). This file can be restricted to be readable only be the current server user (locking down the file permissions is a bit fiddly to do in Java in a cross platform way, but is possible with the NIO APIs).

An alternative approach is to use Unix Domain Sockets / Windows Named Pipes (as is done in facebook/watchman), rather than a TCP socket on the loopback interface. This would require some platform-specific native code (or a library that wraps said native code) on the server side.

Answer 1 · 2017-10-30T22:54:57.000Z

nailgun can be used with Unix Domain Sockets / Windows Named Pipes. See pynailgun/test_ng.py to see examples of such usage.

Answer 2 · 2017-10-30T22:56:55.000Z

Great! So I guess it is just matter of updating the documentation!

FTR, here's are the server impls:
https://github.com/facebook/nailgun/blob/master/nailgun-server/src/main/java/com/martiansoftware/nailgun/NGUnixDomainSocket.java
https://github.com/facebook/nailgun/blob/master/nailgun-server/src/main/java/com/martiansoftware/nailgun/NGWin32NamedPipeServerSocket.java

Answer 3 · 2017-11-28T02:05:53.000Z

Related to this, using NGUnixDomainSocket and NGWin32NamedPipeServerSocket I'm planning to support Unix Domain Sockets / Windows Named Pipes for sbt server (sbt/sbt#3742). sbt is a build tool for Scala.

Would you consider splitting up the socket related code into a separate library?
Could you release it (or the latest Nailgun) to Maven Central please?

Answer 4 · 2017-11-29T19:21:20.000Z

@eed3si9n

Some internal details of NGWin32NamedPipeServerSocket are not universal and rely on how nailgun uses connection. The same may be true for NGUnixDomainSocket. (This is why they have NG prefixes). In order to be used with other backends - like sbt - they will require some rethinking.