Update README to encourage secure configuration

[anishathalye]

MongoDB by default binds to all interfaces, which means that it'll
accept connections from anywhere. This is really insecure.

[ehzhang]

LGTM!

On a tangent, this should probably also be included for deploy instructions @jlin816, since we haven't really specified how to use .env.config.

[jlin816]

I think someone who's reading these docs is more likely to copy / paste the setup commands and end up doing exactly what we're not recommending.
It seems better to note that a manual setup is possible but omit how it's done, assuming that people who want the manual setup know what they're doing and can figure it out themselves.

Can you also explain the context of the issue in a bit more detail? As I understand what you've written, in most cases it's set up securely as a daemon when you install on most Linux distributions, but you're saying also that there's some other default setting that's not secure?

[anishathalye]

If you run mongod --dbpath db, Mongo binds to all interfaces. You need to specify --bind_ip to explicitly bind to the loopback interface and avoid auto-accepting remote connections.

It's kinda scary how many people recommend running mongod --dbpath db (https://github.com/search?q=%22mongod+--dbpath%22&type=Code&utf8=%E2%9C%93).

If you apt-get install Mongo on Debian, the default /etc/mongod.conf includes reasonably sane settings that have bind IP set to something more restrictive than "all local interfaces", among other things. Most distributions probably do something sane here.

[anishathalye]

Related article: https://blog.shodan.io/its-still-the-data-stupid/

[jlin816]

Ah okay, I think I understand what you mean now (thought that "not recommended" meant "not secure" the first time I read it). Can we de-emphasize the not-recommended method? I'm thinking very roughly something like "we recommend you run as a daemon with the default installation on most Linux distributions... [code block snippet] ... although not recommended, you can also set Mongo up securely by ... [inline code snippet, probably]."

[ravirahman]

I’m a bit confused why we’re including instructions on installing mongo db in our project. We definitely should include instructions on configuring the client, but I’m confused on why we’re telling someone how to configure the server as well. Most tools don’t come with instructions for setting up third party dependencies. For example, wordpress doesn’t tell you how to install mysql. I am very hesitant to make recommendations about how to configure code we don’t control. Ravi

…

On Apr 5, 2017, at 4:20 PM, Jessy Lin ***@***.***> wrote: Ah okay, I think I understand what you mean now (thought that "not recommended" meant "not secure" the first time I read it). Can we de-emphasize the not-recommended method? I'm thinking very roughly something like "we recommend you run as a daemon with the default installation on most Linux distributions... [code block snippet] ... although not recommended, you can also set Mongo up securely by ... [inline code snippet, maybe]." — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#12 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFaHfMYF5KdfA_fOv0D3CSbfhz1F81gqks5rs_ebgaJpZM4MzLCu>.

[ehzhang]

IMO, for quick local setup, basic instructions for everything involved in making it work (including relevant commands for a database dependency) should be included.

This feels like bikeshedding, which I think can be solved by renaming this section to "Local Development" instead of "Setup". Real recommendations on setup should be expanded upon in a different section.

[ravirahman]

OK Could we just point to an article on how to install mongo and/or one of this security concern? Ravi

…

On Apr 5, 2017, at 4:42 PM, Edwin Zhang ***@***.***> wrote: IMO, for quick local setup, basic instructions for everything involved in making it work (including relevant commands for a database dependency) should be included. This feels like bikeshedding, which I think can be solved by renaming this section to "Local Development" instead of "Setup". Real recommendations on setup should be expanded upon in a different section. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#12 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFaHfCEM5azL0kJyJ2mm30Ec-_rtkxniks5rs_yugaJpZM4MzLCu>.

[jlin816]

Ok, I think this is fine. I'm less concerned about how to install Mongo than being specific about what config we're suggesting here. Sincemongod --dbpath db is so widely used, deviating from that for a somewhat obscure issue should be explained. I had some context from OffiX, but even I was confused initially with what was being suggested.

[anishathalye]

I agree with Ravi's comments on not telling people how to configure production servers (for slightly different reasons). I have nothing against giving people advice on how to configure software we haven't written, but I don't think any of us want to put in the effort to fully explain how to configure a production MongoDB instance (and I don't think such an explanation belongs in our README).

I also agree with Edwin -- people have short attention spans, and we want to make it easy for people to quickly start playing around with our software. To this end, I slightly updated my pull request.

But fully revamping the README to differentiate between dev setup and prod setup is out of scope for my pull request. If someone else wants to do that, I think it would be great. Gavel, for example, has a detailed development guide, it has a deploy to Heroku button, and it has a short section in the README about production deployment (and we don't give any advice on setting up the database or anything like that).