Does exists LiveCode Server Portable...

[Richard Gaskin]

Alejandro Tejada wrote:

> LiveCode could open a socket to send and receive
> data from other applications.
>
> Does exists a method to create a portable
> LiveCode server that runs locally without
> installing any file in the computer?

Many years ago Dr. Raney made a stack available at the old MetaCard site 
called mchttpd which is exactly that:  a simple Web server built in what 
was then called MetaCard.

It still runs in LiveCode, but needed modification to output proper 
headers for more recent browsers, so with Dr. Raney's permission I've 
modified it and you can download it here:
<http://fourthworld.net/lc/mchttpd-4W.zip>

I still prefer working with Apache for most things since it lets me 
mirror the environment I'll be using when I move what I'm working on 
locally to a public server, but for specialized services mchttpd can be 
a good starting point.

> In one of my computers, every application
> that opens a socket must be authorized
> by the user because Zone Alarm ask for
> permission...

A similar requirement happens on OS X as well:  in Lion and later (I 
don't recall seeing this in Snow Leopard), whenever an app starts 
listening on a port the OS notifies the user and asks for confirmation.

This is very helpful, since most serious OSes (read OS X and Linux) 
usually ship with all incoming traffic blocked (well, that's true for 
Ubuntu, not sure about other distros or how well OS X matches that 
security decision).  This means that out of the box the system is 
unreachable from the outside, leaving it to the user to explicitly open 
any ports they might need, while most users never need to go out of 
their way to have the system reasonably well protected.

Once you open a port you're inviting traffic to your machine.  Of course 
most folks have a router to negotiate between their internal network and 
the external Internet, and most routers should require explicit action 
to set up the forwarding of requests to a specific port from the outside 
world to the machine providing the service.  So without that, on most 
routers worth using, things like mchttpd are useful for intranet 
services yet still unreachable to the outside world.

As written, mchttpd is pretty nice, and fairly limited - by design, so 
that it won't, for example, run "do" on arbitrary strings passed into it.

But it's extensible, so if one were inclined to live dangerously you 
could extend mchttpd to allow it to "do" any LiveCode statements passed 
in as arguments to the HTTP request - and then your machine could be 
pwned by anyone who can reach it.

Set up port forwarding on your router to allow the world to do that, and 
it would be an interesting measure of LiveCode's current global adoption 
to find out how long it would be until your machine gets pwned. ;)

Of course in any real system you'd want to be very careful to avoid such 
injection exploits.

One of the reasons I've tried to get "do", "eval" and the rest out of my 
habits is not merely because there are almost almost always better 
alternatives, but that if I ever get absent-minded I'm less likely by 
habit to include anything like that in server code.

Interesting exercise for the reader:

On a Mac, open Console and in the side pane click on appfirewall.log

- or -

In Lubuntu, run:

   more /var/log/auth.log

The world is full of botnets randomly attempting access on all ports on 
all machines all day long....

On my critical machines I recently set up shared keys between the 
various computers I use, and once that was done I modded my 
/etc/sshd_config so that it no longer allows password login at all.

The downside is that whenever I get a new computer I have to add its key 
by going through one of the existing ones already known in authorized_keys.

But the upside is that no one can use any password to get in, since all 
passwords are rejected.

--
  Richard Gaskin
  Fourth World
  LiveCode training and consulting: http://www.fourthworld.com
  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
  Follow me on Twitter:  http://twitter.com/FourthWorldSys