-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RPC Whitelist #202
RPC Whitelist #202
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that if this is used for NBXplorer it will break PayJoin in BTCPayServer, so I'd recommend documenting it.
See MetacoSA/NBitcoin#864 for details.
modules/presets/secure-node.nix
Outdated
"estimatefee" | ||
"estimatepriority" | ||
"estimatesmartfee" | ||
"estimatesmartpriority" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few more harmless calls to consider:
validateaddress
testmempoolaccept
signrawtransactionwithkey
- the key is provided in the call, so stealing is not possiblescantxoutset
- I assume this operation takes some time, so maybe it could be used for DoS, but probably not too huge issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated these harmless calls in 88c7348. Thank you for the suggestions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
estimatepriority and estimatesmartpriority were removed in 0.15.
Rebased |
Rebased, expanded tests, removed deprecated rpc calls |
FYI, I found yesterday that NBXplorer/BTCPayServer don't work without If you have regtest packages, then you may want to special-case this. |
pkgs/generate-secrets/default.nix
Outdated
@@ -1,6 +1,9 @@ | |||
{ pkgs }: with pkgs; | |||
|
|||
let | |||
rpcauth = pkgs.callPackage ./rpcauth { }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can replace this with:
rpcauth = pkgs.writeScriptBin "rpcauth" (builtins.readFile ./rpcauth/rpcauth.py);
(mind the indentation) and remove rpcauth/default.nix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in fb94d19
modules/bitcoind.nix
Outdated
@@ -266,7 +267,9 @@ in { | |||
readOnly = true; | |||
type = types.package; | |||
default = pkgs.writeScriptBin "bitcoin-cli" '' | |||
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" | |||
exec ${cfg.package}/bin/bitcoin-cli \ | |||
-rpcuser=${cfg.rpc.users.privileged.name} -rpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-privileged) \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps better to leave the rpcuser and rpcpassword in the bitcoin.conf so we don't have to specify them here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-rpcpassword
being entered from command line is actually insecure. bitcoin-cli
has an option -stdinrpcpass
to solve this problem - just read it from that file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in fb94d19
I think it's even better to use the config file than -stdinrpcpass
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, this is just defense in depth since we already forbid users from viewing other's commands with hidepid
Here's an exhaustive list of the RPCs I'd consider "public" from bitcoin 0.21.0:
Every time we update bitcoind we can check for new public RPCs and add them to the list. |
Rebased, fix nits, and Jonas Nick public rpc call list implemented |
@Kixunil We're taking note of all the NBXplorer issues here and will get to them when we merge BTCPayserver |
Includes bitcoind's `share/rpcauth` to convert apg generated passwords into salted HMAC-SHA-256 hashed passwords.
Default behavior for rpc whitelisting is set to 0, which means that rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist` exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 5086fc3
This PR changes bitcoind rpc authentication to the
rpcauth
feature with HMAC-SHA-256 hashed passwords. It implements anrpcwhitelist
of harmless rpc calls for services with rpc access (clightning
,lnd
,liquidd
, andelectrs
).Right now, I transfer the HMAC's from the
/secrets
directory by replacing a placeholder insidebitcoin.conf
viased
in thesystemd.services.bitcoind.preStart
. I'm not sure if this is the optimal solution.Closes #191
Closes #183