So if I want to write a script which uses geth and web3, the first that comes to mind is starting geth with --rpc enabled.
Will this risk the wallet being accessed from outside?
Is there a way of setting things up so that only the nodejs script can access the wallet?
If you're thinking of using node on the same server geth is located on, it's probably safer to use the IPC pipe. You can configure your geth node to start as a service, owned by a service user--and then set permissions on the IPC pipe created to only allow access to users in the same group (or to just that user). If your node script is run as the same user or as a user that's part of one of the geth user's groups, you can restrict access to that user/group.
For example, if you configure geth to have a data directory at /var/lib/geth, the pipe will be located at /var/lib/geth/geth.ipc by default (I think, the naming might be different). If you change the permissions on /var/lib/geth to 760 (u+rwx, g+rw), you can restrict access to the chain data, the ipc pipe, and the keyfiles created by geth to only the geth user or its group.
Permissions can be more finely tuned from there, if you so desire.
Please see this thread for discussion of security issues with local wallets: How to reduce the chances of your Ethereum wallet getting hacked?
Specifically, you can limit rpc to your local address, but even that seems to have some limitations, as noted in the discussion above.
Restrict your RPC port to only serve on the local computer. The option --rpcaddr 127.0.0.1 (which is the default setting) will restrict your RPC communications to just that computer.
--ipcdisable).To use it with web3, you'd need to use the IPC provider, like so:
var web3 = new Web3(new Web3.providers.IpcProvider('/var/lib/geth/geth.ipc'))A note on the IPC provider: it only allows for async methods/accessors.
– DeviateFish May 27 '17 at 04:56