How could it? The agent calling into the MCP server is the one exposing an interface to the end user. It’s the agents job to prompt the user (and both Claude desktop and cursor do).
It’s the “system administrator”’s job to make sure the MCP is running at the right privilege level with correct data access levels. The MCP server can’t stop somebody from running it as root the same way any other program can’t.
At the end of the day the MCP should be treated as an extension of the user. Whatever the user can do, so too can the MCP server. (I mean, this isn’t technically true.. you can run the MCP under its own account or inside some sandbox… this will probably start to happen soon enough)
The problem isn't the permissions the MCP has, it's about whose orders it obeys.
Many other programs on the system aren't an extension of the user. And they can access ports.
How could it do authentication? Easily. The most basic option is for the server to put a secret token in your user folder, so only code with access to that token can talk to it.
On Linux it can be even simpler. Don't attach the server to a port, attach it to a socket file.
It’s the “system administrator”’s job to make sure the MCP is running at the right privilege level with correct data access levels. The MCP server can’t stop somebody from running it as root the same way any other program can’t.
At the end of the day the MCP should be treated as an extension of the user. Whatever the user can do, so too can the MCP server. (I mean, this isn’t technically true.. you can run the MCP under its own account or inside some sandbox… this will probably start to happen soon enough)