[Chilli] [PATCH] adds option for chilli query TCP socket

David Bird david at coova.com
Mon Mar 5 12:21:20 UTC 2012


A valid concern, obviously. The default will remain to be using the unix
socket and file system permissions for security. The patch (on the
client side anyway) was limited to localhost, however, the server side
socket was ANY (so, the patch does in fact have a major security issue
in that regard, and still needs more). I'd like to see the TCP port
protected with SSL cert/ca verifications; if anyone cares to implement,
it would be appreciated. I am also considering making the feature only
available with a compile-time option so that it isn't used lightly or by
mistake; certainly should never be the default. 



On Mon, 2012-03-05 at 12:20 +0100, Joerg Mayer wrote:
> On Mon, Mar 05, 2012 at 09:33:28AM +0100, David Bird wrote:
> > I applied and committed your patches. Thanks! However, I'll be making
> > some changes. For instance, it isn't good that chilli_query will default
> > to using the TCP port instead of the unix socket... I will change it to
> > only use the TCP socket if specified. Also, might as well allow for
> > chilli_query to use an IP other than localhost. It would be great if
> > you'd make these changes and submit another patch, otherwise I will do
> > it. 
> 
> What sort of security mechanism is there to make sure the tcp sockets cannot
> be used by any user on localhost or any remote user?
> 
> Thanks
>    Jörg




More information about the Chilli mailing list