Security: Default startup should only listen on localhost, and should not run as root

[nsoft]

I installed the snap, popped open localhost:9000 and entered a local zk connection, and got connection refused. So I went to check that I had my zk running via listing the listening ports... and discovered that my computer was now attempting to serve access to the zookeeper (which luckily I had typo-ed) to everyone on my network. (listening on *:9000 instead of 127.0.0.1:9000).

Not really ideal. It's usually best to have default installations listen on localhost, and require users to intentionally configure a server to talk to the entire network. If the person can't figure out how to do that they probably aren't ready to do it (or your configuration is too complicated).

Also it appears to be running as root!

java      461240            root   96u  IPv6 9098734      0t0  TCP *:9000 (LISTEN)

That's an obvious major no-no and I immediately uninstalled.

[elkozmon]

Sorry for the late reply. I appreciate your concern.

Regarding the listening address/interfaces, this tool is primarily tailored for cloud deployment where listening on loopback is mostly useless. The default choice of listening on all interfaces benefits users who want to quickly try it out without having to fiddle with configuration, however simple it may be. Afterwards if they decide to deploy it in production it's expected to configure it as required. Sorry if that's not what you expected though, but this is unlikely to change.

To the second point. Obviously I agree that running something as root when it's not needed is just wrong. This Snap is set up with strict confinement mode, which denies all system access except whats explicitly requested via interfaces (which in this case, is just network access), so I assume its not as bad as it looks? That said, I will look into it and try to change it to run under an unprivileged user.

Thank you.