Hardening DAC #171
Hardening DAC #171
Conversation
modules/clightning.nix
Outdated
| @@ -111,6 +110,10 @@ in { | |||
| while [[ ! -e ${cfg.dataDir}/bitcoin/lightning-rpc ]]; do | |||
| sleep 0.1 | |||
| done | |||
| # give group "search" access to allow clightning group processes to find lightning-rpc | |||
There was a problem hiding this comment.
Do you know who needs that? lightning-rpc is always lightning-rpc - not sure why anyone would need search permissions
There was a problem hiding this comment.
spark-wallet and lightning-charge need to be able to "look" into the directory to find lightning-rpc. Otherwise you get
Lightning client connection error { Error: connect EACCES /var/lib/clightning/bitcoin
in spark-wallet for example.
modules/presets/secure-node.nix
Outdated
| @@ -132,8 +132,6 @@ in { | |||
| services.onion-chef.enable = true; | |||
| services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; | |||
|
|
|||
| # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket | |||
| # https://github.com/ElementsProject/lightning/issues/1366 | |||
| security.sudo.configFile = | |||
| (optionalString cfg.clightning.enable '' | |||
There was a problem hiding this comment.
Yeah I'm fine with keeping the lightning-cli option with sudo. It's simpler than having to deal groups.
There was a problem hiding this comment.
@erikarvstedt Re: 0e66ec47489732002ba9ab96dafd3ddd401a5ae8 I thought it would be good to keep, so lightning-cli would never be executed as root by accident. But I guess the simplicity win outweighs that. So ACK.
|
ACK want to squash? |
|
Should I squash all into one or just the jonasnick fixups? |
|
just fixups |
|
squashed |
|
Oh I meant squashing the fixups into the corresponding original commits. |
|
Done. Didn't squash |
|
I'll review this later today, please wait before merging. |
|
Thanks, @nixbitcoin, for these very sensible changes. Could you, in the future, add a Also, please use separate commits for larger, orthogonal changes.
Here are my fixups. |
|
Thank you for the great This was my first try at structuring commits properly. My next PR will be more diligent in separating into single-topic commits and obeying the nix naming conventions. I separated said commit. I didn't separate 95afba4 because the changes aren't that orthogonal and splitting wasn't that easy. |
|
Thanks! 😺 Could you please remove the ephemeral fixup messages from the squashed messages? ExampleProblematic message: Fixed message: |
|
Please rename commit |
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic directly to electrs.
Electrs does not need to be a part of "bitcoinrpc" group because preStart electrs.toml creation is handled by PermissionsStartOnly. "bitcoin" group membership is only necessary when cfg.high-memory is enabled and electrs reads blocks directly from the blocks directory.
Secrets are written to clightning config file during preStart with root permissions because of PermissionsStartOnly.
currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
|
Could you format your approvals in the future like so: |
|
@nixbitcoin ACK 😃 |
This PR all-around hardens our existing discretionary access control.
All lightning modules (spark-wallet, recurring-donations, lightning-charge) now run under their own user with clightning group membership. They can interact with c-lightning via group-readable/writable socket. I didn't remove the lightning-cli option because I think it's a good idea to always run it under the clightning user (otherwise it's executed with root permissions in nodeinfo), please take a look at this.
bitcoinrpc group is removed and bitcoin group membership is reduced to a minimum. Secrets are gotten via preStart with PermissionsStartOnly.
electrs also has an improved and truly optional TLSProxy.
I wasn't able to reduce the permissions of nodeinfo, onion-chef and create-webindex from root. I couldn't find an elegant way to fulfill their functions as a less-privileged user without introducing excessive complexity.
LND was out-of-scope for this PR, because I don't run it and have no experience with it.
Closes #145
Closes #170