Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File permissions for validator client API keys are insecure #2437

Closed
dnkolegov opened this issue Jul 7, 2021 · 1 comment
Closed

File permissions for validator client API keys are insecure #2437

dnkolegov opened this issue Jul 7, 2021 · 1 comment
Labels
low-hanging-fruit Easy to resolve, get it before someone else does! security v2.0.0 Altair on mainnet release (v2.0.0)

Comments

@dnkolegov
Copy link

dnkolegov commented Jul 7, 2021
edited
Loading

Description

A validator client uses two API keys: ".secp-sk" (secret key) and "api-token.txt" (the corresponding public key).
Both files are stored in a user directory with 644 permission bits.
So any user on the host can read them.

To reproduce the issue just run:

docker run -it -p 127.0.0.1:9000:9000 -p 127.0.0.1:5062:5062 -p 127.0.0.1:5052:5052 sigp/lighthouse /bin/bash

lighthouse beacon --http --http-address 0.0.0.0 &
lighthouse vc --http &
ls -laF ~/.lighthouse/mainnet/validators/{.secp-sk,api-token.txt}

Version

Lighthouse/v1.4.0-3b600ac

Expected Behaviour

Permission bits must be 600.
@paulhauner paulhauner added security low-hanging-fruit Easy to resolve, get it before someone else does! labels Jul 8, 2021
@paulhauner paulhauner added the v1.5.1 To be included in the v1.5.1 relase label Aug 2, 2021
@pawanjay176 pawanjay176 mentioned this issue Aug 4, 2021
Closed
@dnkolegov dnkolegov mentioned this issue Aug 5, 2021
Closed
@michaelsproul michaelsproul added v1.5.2 The release after v1.5.1 v2.0.0 Altair on mainnet release (v2.0.0) and removed v1.5.1 To be included in the v1.5.1 relase v1.5.2 The release after v1.5.1 labels Aug 26, 2021
bors bot pushed a commit that referenced this issue Sep 3, 2021
@pawanjay176
Update file permissions (#2499)
6f18f95 
## Issue Addressed

Resolves #2438 
Resolves #2437 

## Proposed Changes

Changes the permissions for validator client http server api token file and secret key to 600 from 644. Also changes the permission for logfiles generated using the `--logfile` cli option to 600.

Logs the path to the api token instead of the actual api token. Updates docs to reflect the change.
@paulhauner
Copy link
Member

Resolved in #2499

@fredriksvantes fredriksvantes mentioned this issue Apr 15, 2022
Closed
@Githubuser60 Githubuser60 mentioned this issue Sep 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
low-hanging-fruit Easy to resolve, get it before someone else does! security v2.0.0 Altair on mainnet release (v2.0.0)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michaelsproul @dnkolegov @paulhauner