While it is probably not a good idea to run freenet on a multi user machine, it can almost be done in a manner that is as secure as the machine itself is and the option should be there to do it. I think participation would go up if more people could run permanently up freenet nodes like mine without throwing an entire machine at it. My server machnes are, well, servers and they have user accounts which means they could connect via localhost and do things to freenet unless I restrict fproxy access to other hosts.
Currently, I run freenet under it's own "freenet" user account on it's own filesystem with all files and directories accessible only to the freeenet user. I have to pick a single user host on my network I want to access fproxy through and restrict it to that host. The telnet interface is of course disabled. As an alternative to host based access, it would be very nice to have an option for fproxy to support https and accept connections only from predefined client certificates, or at very least require a password. For https support, all that would be really required is a directory for the administrator to put .PEM encoded root certificates it trusts, another directory for client certificates it allows and a configuration option pointing to the server certificate and private key. Beyond that, leave it up to the administrator who knows what s/ he is doing to generate and manage all of this. The password option is even easier and I strongly think it should be there. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2261 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060626/03496a0d/attachment.bin>
