You're right that other ports like net/tor have patches like that. But is this
a good enough reason to just copy and paste? My point was that there's no
practical benefit to set i2pd's working directory as /var/i2pd instead of
/var/lib/i2pd. On the contrary, there's a potential drawback, also on the
practical level: the risk of confusing some users. The trade-off here is style
and consistency on the one side vs. practicality on the other.
/var/lib isn't very openbsd-ish, is only used by 3 ports, and IIR
there's a backburner proposal to symlink /var/lib -> /var/db if we
can figure out how to get things moved out the way without breakking
updates too badly. So if we can get these files moved it would be a
good step on the way to that.
OK, I was not aware of that.
You're right that the web interface definitely adds some attack surface. But what's the threat model exactly?
The web interface allows "any user on the system", let's say a malicious user, to shut down the
daemon, namely enables a denial-of-service attack. This malicious user could also access private information,
like your router identity or the B32 addresses of your tunnels. That's probably what you mean by
"deanonymizing you"... But bear in mind that "any user on the system" can easily get the
machine's IP address anyway, which is usually what you want to conceal. And even with the web interface
disabled, any local user could also access i2pd's configuration files, which are world-readable by default
and can include some private information (encrypted LeaseSets keys in /etc/i2pd/tunnels.conf for example).
That sounds like a good argument to use mode 750 for /etc/i2pd..
Right, that's a good idea.
On the other hand, the web interface can be very useful to control and monitor
the i2pd daemon. It's impossible to know what proportion of i2pd users rely on
this feature, but my guess is that it is widely used, hence the i2pd developers
enabled it by default.
In any case, we can also add a note to the README warning users about the risks
associated with the web interface.
OpenBSD policy would usually be to disable potentially risky things
by default and let people enable them if they want rather than hope
they actually read pkg-readme (a lot of users seem not to).
Fair point.
Let's explain that in the README anyway, in case users wonder why the web
interface doesn't work 😅
Here's the patch I came up with, taking into account your remarks and David's
proposals:
- /var/i2pd is set as working directory instead of /var/lib/i2pd
- logs are sent to syslogd by default
- HTTP interface is disabled by default
- /etc/i2pd is mode 750, and the config files within this directory are mode 640
Lightly tested on amd64 for now. The port builds fine, all tests are still
passing, and it seems to run just fine, as far as I tested.
I hope it will be OK like that.
That's OK with me, but I still think we should comment on the default
IRC tunnel configuration. This has been activated by the I2Pd developers
because they use this IRC server as a kind of service to answer user
questions, but most people don't need it or don't want to go through the
hassle of configuring their IRC client to use I2P. If anyone wants to
use IRC through I2Pd, they can simply uncomment those lines in the
tunnels.conf configuration file.
