Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Feature Request and Issues #7104

Open
b-sullender opened this issue Dec 5, 2024 · 0 comments
Open

Security Feature Request and Issues #7104

b-sullender opened this issue Dec 5, 2024 · 0 comments
Labels
enhancement Some improvement that isn't a feature

Comments

@b-sullender
Copy link

Issue 1: Ambiguity in Login Rate Limits

The code-server FAQ states:

code-server supports setting a single password and limits logins to two per minute plus an additional twelve per hour.

This language is somewhat ambiguous and leaves room for interpretation. For example:

  1. Are successful logins also part of the rate limit?
  2. Are failed logins excluded from the rate limit?

Proposed Solution

To clarify, the FAQ could be revised as follows:

code-server supports setting a single password and limits all logins (successful or unsuccessful) to two per minute plus an additional twelve per hour.

Issue 2: Configuration File Permissions

When starting code-server, the generated configuration file is created with permissions that allow other users on the system to view the file. This can potentially expose the user’s password.

Proposed Solution

  • Ensure that the configuration file is created with stricter permissions, making it readable and writable only by the user running code-server.
  • Alternatively, provide a clear warning in the documentation about this behavior so users can manually adjust permissions.

Additional Feature Suggestion

As someone who prioritizes tight security but does not want to limit successful logins, it would be ideal to:

  • Customize rate limit settings.
  • Configure integration with fail2ban for more comprehensive security.

These enhancements would provide significant benefits for users who require fine-grained control over security policies.

@b-sullender b-sullender added the enhancement Some improvement that isn't a feature label Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Some improvement that isn't a feature
Projects
None yet
Development

No branches or pull requests

1 participant