20:45 <nij> Hello :D Is it possible to secure the swank server? I'm running one as root, and don't want that server to be accessed by other users.

20:45 <nij> An idea is to chmod of the unix socket it creates to 600, and chown to root:root.

20:45 <nij> But I cannot find where that socket is..

21:22 <pjb> nij: swank uses a NETWORK socket, so you would find this socket on the NETWORK ;-)

21:22 <pjb> nij: there are no access control on the network.

21:23 <pjb> nij: all you can do, is to implement protocols for identification and authentication. Stuff like TLS etc.

21:23 <pjb> nij: https://github.com/slime/slime/issues/286

21:24 <pjb> nij: there's no easy solution. You could become a hero, patching swank and slime to use TLS and exchange certificates.

21:25 <pjb> nij: one alternative is to have swank listen on a localhost port, and to use a ssh tunnel to allow remote connections.

21:25 <pjb> nij: but this only protects from the external network, not from local users.

21:26 <pjb> https://common-lisp.net/project/slime/doc/html/Connecting-to-a-remote-lisp.html

21:26 <nij> It sounds like for my use I need to look into other sockets package.. e.g. usocket.

21:26 <pjb> One patch that could perhaps be implemented easily would be to use not sockets, but named pipes.

21:30 <pjb> nij: for example, search for 'defimplementation create-socket' in swank sources. On ccl, make-socket takes a :address-family parameter, and you could pass :file to use a unix domain socket (ie. a named pipe), with a :local-filename parameter specifying the pipe file.

21:30 <pjb> nij: then you would have to patch similarly slime to connect using the pipe file.

21:30 <pjb> In that case, you could use unix access rights to protect the pipe.

21:31 <pjb> Become a hero, implement a patch!

21:39 <nij> pjb: I'm still a noob! But perhaps will do one day! :D