From 6f032e3c404502062fc4ceaa51d59b1a6e7f518d Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 30 Aug 2020 22:45:34 +0200 Subject: [PATCH] lnd: fix mnemonic file access vulnerability Previously, the file was readable by 'other' for a short time after creation. --- modules/lnd.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/lnd.nix b/modules/lnd.nix index 621dc03..d32890c 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -174,13 +174,12 @@ in { mnemonic=${secretsDir}/lnd-seed-mnemonic if [[ ! -f $mnemonic ]]; then echo Create lnd seed - + umask u=r,go= ${pkgs.curl}/bin/curl -s \ --cacert ${secretsDir}/lnd-cert \ -X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" fi chown lnd: "$mnemonic" - chmod 400 "$mnemonic" ''}" "${let mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";