joinmarket: fix leaking passwords
Previously, `bitcoin-rpcpassword-privileged` and `jm-wallet-password` were passed as world readable arguments to sed and jm-genwallet subprocesses.
This commit is contained in:
parent
5c14453389
commit
b15d71605e
@ -33,7 +33,6 @@ let
|
|||||||
rpc_host = ${bitcoind.rpc.address}
|
rpc_host = ${bitcoind.rpc.address}
|
||||||
rpc_port = ${toString bitcoind.rpc.port}
|
rpc_port = ${toString bitcoind.rpc.port}
|
||||||
rpc_user = ${bitcoind.rpc.users.privileged.name}
|
rpc_user = ${bitcoind.rpc.users.privileged.name}
|
||||||
@@RPC_PASSWORD@@
|
|
||||||
${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file = ${cfg.rpcWalletFile}"}
|
${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file = ${cfg.rpcWalletFile}"}
|
||||||
|
|
||||||
[MESSAGING:server1]
|
[MESSAGING:server1]
|
||||||
@ -237,10 +236,12 @@ in {
|
|||||||
requires = [ "bitcoind.service" ];
|
requires = [ "bitcoind.service" ];
|
||||||
after = [ "bitcoind.service" ];
|
after = [ "bitcoind.service" ];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
|
{
|
||||||
sed -i \
|
cat ${configFile}
|
||||||
"s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
|
echo
|
||||||
'${cfg.dataDir}/joinmarket.cfg'
|
echo '[BLOCKCHAIN]'
|
||||||
|
echo "rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)"
|
||||||
|
} > '${cfg.dataDir}/joinmarket.cfg'
|
||||||
'';
|
'';
|
||||||
# Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
|
# Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
|
||||||
postStart = mkIf (bitcoind.network == "mainnet") ''
|
postStart = mkIf (bitcoind.network == "mainnet") ''
|
||||||
@ -252,9 +253,11 @@ in {
|
|||||||
${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
|
${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
|
||||||
wallet_name="${cfg.rpcWalletFile}" disable_private_keys=true
|
wallet_name="${cfg.rpcWalletFile}" disable_private_keys=true
|
||||||
''}
|
''}
|
||||||
pw=$(cat "${secretsDir}"/jm-wallet-password)
|
|
||||||
cd ${cfg.dataDir}
|
cd ${cfg.dataDir}
|
||||||
if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
|
# Strip trailing newline from password file
|
||||||
|
if ! tr -d "\n" <"${secretsDir}/jm-wallet-password" \
|
||||||
|
| ${nbPkgs.joinmarket}/bin/jm-genwallet \
|
||||||
|
--datadir=${cfg.dataDir} --wallet-password-stdin $walletname \
|
||||||
| grep 'recovery_seed' \
|
| grep 'recovery_seed' \
|
||||||
| cut -d ':' -f2 \
|
| cut -d ':' -f2 \
|
||||||
| (umask u=r,go=; cat > jm-wallet-seed); then
|
| (umask u=r,go=; cat > jm-wallet-seed); then
|
||||||
|
Loading…
Reference in New Issue
Block a user