Lock down the XMRig HTTP API on Linux (restricted + localhost)#17
Open
VijitSingh97 wants to merge 1 commit into
Open
Lock down the XMRig HTTP API on Linux (restricted + localhost)#17VijitSingh97 wants to merge 1 commit into
VijitSingh97 wants to merge 1 commit into
Conversation
On Linux, generate_xmrig_config previously set the XMRig HTTP API to host 0.0.0.0 with restricted=false, exposing a network-reachable, unrestricted miner-control API guarded only by a guessable hostname-derived token. Change the Linux defaults to match the safe macOS/template posture: restricted=true (read-only) and bind to 127.0.0.1 (localhost). The API is no longer network-exposed. macOS behaviour is unchanged and the existing token logic is preserved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
On Linux,
generate_xmrig_configinrigforge.shgenerated an XMRig HTTP API config that bound to0.0.0.0withrestricted=false, while the only protection was an access token defaulting to the machine's hostname. In practice this exposed a network-reachable, unrestricted miner-control API guarded solely by a guessable token — an attacker on the network could enumerate the token and gain full control of the miner (pause/resume, reconfigure pools, etc.).macOS already used a safe posture (
restricted=trueplus a non-public bind). This PR brings the Linux defaults in line with that posture:HTTP_RESTRICTED="true"— the API is now read-only.HTTP_HOST="127.0.0.1"— the API binds to localhost and is no longer reachable over the network.Because the API is now localhost + restricted, it is no longer network-exposed. The existing access-token logic is preserved unchanged, and macOS behaviour is untouched. The
jqconfig generation that consumesHTTP_RESTRICTED/HTTP_HOST/ACCESS_TOKENcontinues to work as before.Validation:
bash -n rigforge.shparses cleanly.shellcheck rigforge.shintroduces no new findings (only the two pre-existing info-level items remain: SC2086 on themake -jline and SC2016 on theenvsubstline).Related issue
Closes #7
🤖 Generated with Claude Code