Skip to content

Security Feature Request and Issues #7104

Open
@b-sullender

Description

@b-sullender

Issue 1: Ambiguity in Login Rate Limits

The code-server FAQ states:

code-server supports setting a single password and limits logins to two per minute plus an additional twelve per hour.

This language is somewhat ambiguous and leaves room for interpretation. For example:

  1. Are successful logins also part of the rate limit?
  2. Are failed logins excluded from the rate limit?

Proposed Solution

To clarify, the FAQ could be revised as follows:

code-server supports setting a single password and limits all logins (successful or unsuccessful) to two per minute plus an additional twelve per hour.

Issue 2: Configuration File Permissions

When starting code-server, the generated configuration file is created with permissions that allow other users on the system to view the file. This can potentially expose the user’s password.

Proposed Solution

  • Ensure that the configuration file is created with stricter permissions, making it readable and writable only by the user running code-server.
  • Alternatively, provide a clear warning in the documentation about this behavior so users can manually adjust permissions.

Additional Feature Suggestion

As someone who prioritizes tight security but does not want to limit successful logins, it would be ideal to:

  • Customize rate limit settings.
  • Configure integration with fail2ban for more comprehensive security.

These enhancements would provide significant benefits for users who require fine-grained control over security policies.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementSome improvement that isn't a feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions