[Pkg-erlang-devel] Bug#585122: Please make epmd bindable to only loopback address
Joerg Dorchain
joerg at dorchain.net
Wed Jun 9 14:27:00 UTC 2010
On Wed, Jun 09, 2010 at 03:31:07PM +0400, Sergei Golovan wrote:
>
> I don't think that it's a good idea. Since epmd works silently it's easy
This silence is a nightmare from a security point of view.
> to create a mess if you'll start another Erlang application in distributed
> mode (after ejabberd it'll be unusable, before ejabberd you'll get the
> same binding to all interfaces but will not be aware of it). The less
I can only repeat the well-known arguments for the rpc potmapper
daemon.
To me, it seems desirable to start epmd separately via
initscripts and dependancies prior to any programms needing it.
Same for portmapper, whose main application IMHO is nfs. Please
take a look at it and its debconf script.
If you like, please consider this as a suggestion to start epmd
that way. Any other erlang programmes, esp. daemons, can have a
dependancy on it.
> options epmd supports the better.
Well, only no options are good option, from that point of view.
As well as no open sockets are the only safe ones.
>
> I think that it's better to simply protect port 4369 by a firewall rule.
This is only a weak workaround. Not everyone needs/wants to run
distributed applications. I absolutely do not like the idea of
opening a port "just in case" I ever need distributed systems.
Bye,
Joerg
More information about the Pkg-erlang-devel
mailing list