RPC Whitelist #202
RPC Whitelist #202
Conversation
There was a problem hiding this comment.
Note that if this is used for NBXplorer it will break PayJoin in BTCPayServer, so I'd recommend documenting it.
See MetacoSA/NBitcoin#864 for details.
modules/presets/secure-node.nix
Outdated
| "estimatefee" | ||
| "estimatepriority" | ||
| "estimatesmartfee" | ||
| "estimatesmartpriority" |
There was a problem hiding this comment.
Few more harmless calls to consider:
validateaddresstestmempoolacceptsignrawtransactionwithkey- the key is provided in the call, so stealing is not possiblescantxoutset- I assume this operation takes some time, so maybe it could be used for DoS, but probably not too huge issue?
There was a problem hiding this comment.
Incorporated these harmless calls in 88c7348. Thank you for the suggestions.
There was a problem hiding this comment.
estimatepriority and estimatesmartpriority were removed in 0.15.
|
Rebased |
|
Rebased, expanded tests, removed deprecated rpc calls |
|
FYI, I found yesterday that NBXplorer/BTCPayServer don't work without If you have regtest packages, then you may want to special-case this. |
pkgs/generate-secrets/default.nix
Outdated
| @@ -1,6 +1,9 @@ | |||
| { pkgs }: with pkgs; | |||
|
|
|||
| let | |||
| rpcauth = pkgs.callPackage ./rpcauth { }; | |||
There was a problem hiding this comment.
I think you can replace this with:
rpcauth = pkgs.writeScriptBin "rpcauth" (builtins.readFile ./rpcauth/rpcauth.py);
(mind the indentation) and remove rpcauth/default.nix
modules/bitcoind.nix
Outdated
| @@ -266,7 +267,9 @@ in { | |||
| readOnly = true; | |||
| type = types.package; | |||
| default = pkgs.writeScriptBin "bitcoin-cli" '' | |||
| exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" | |||
| exec ${cfg.package}/bin/bitcoin-cli \ | |||
| -rpcuser=${cfg.rpc.users.privileged.name} -rpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-privileged) \ | |||
There was a problem hiding this comment.
Perhaps better to leave the rpcuser and rpcpassword in the bitcoin.conf so we don't have to specify them here
There was a problem hiding this comment.
-rpcpassword being entered from command line is actually insecure. bitcoin-cli has an option -stdinrpcpass to solve this problem - just read it from that file.
There was a problem hiding this comment.
Fixed in fb94d19
I think it's even better to use the config file than -stdinrpcpass
There was a problem hiding this comment.
BTW, this is just defense in depth since we already forbid users from viewing other's commands with hidepid
|
Here's an exhaustive list of the RPCs I'd consider "public" from bitcoin 0.21.0: Every time we update bitcoind we can check for new public RPCs and add them to the list. |
|
Rebased, fix nits, and Jonas Nick public rpc call list implemented |
|
@Kixunil We're taking note of all the NBXplorer issues here and will get to them when we merge BTCPayserver |
Includes bitcoind's `share/rpcauth` to convert apg generated passwords into salted HMAC-SHA-256 hashed passwords.
Default behavior for rpc whitelisting is set to 0, which means that rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist` exists.
This PR changes bitcoind rpc authentication to the
rpcauthfeature with HMAC-SHA-256 hashed passwords. It implements anrpcwhitelistof harmless rpc calls for services with rpc access (clightning,lnd,liquidd, andelectrs).Right now, I transfer the HMAC's from the
/secretsdirectory by replacing a placeholder insidebitcoin.confviasedin thesystemd.services.bitcoind.preStart. I'm not sure if this is the optimal solution.Closes #191
Closes #183