On Monday 2019-02-11 18:55, Matwey V. Kornilov wrote:
It's 2019. Why are we still depending on portmappers?
[epmd] does have authorization. This port mapper is common for all erlang nodes running on the same host. You can discover the node (until the node is 'hidden') in epmd, but it doesn't mean that you may connect to this node, you usually need to know the node cookie which is usually randomly generated.
Even so, you get a list of services, which could be considered an information leak.
The main issue that that erl tries to spawn epmd process every time when it cannot connect to epmd on start
and if it were using a user-local epmd, all would be better methinks: - do not announce own presence to unrelated users - do not spin up a process in another users's context ^ security guys won't be as mad anymore ^ if epmd screws up, it'll be limited to one's own user identity - epmd started in the user systemd session is bound to the session lifetime / cgroup. Outlives the login shell generally. - won't drag other users' erl nodes down when your epmd terminates -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org