greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

joinmarket: fix leaking passwords

Browse Source 
Previously, `bitcoin-rpcpassword-privileged` and `jm-wallet-password` were
passed as world readable arguments to sed and jm-genwallet subprocesses.
This commit is contained in:
Erik Arvstedt 2021-08-27 17:09:11 +02:00
parent 5c14453389
commit b15d71605e
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/joinmarket.nix
View File

@ -33,7 +33,6 @@ let
rpc_host = ${bitcoind.rpc.address} rpc_host = ${bitcoind.rpc.address}
rpc_port = ${toString bitcoind.rpc.port} rpc_port = ${toString bitcoind.rpc.port}
rpc_user = ${bitcoind.rpc.users.privileged.name} rpc_user = ${bitcoind.rpc.users.privileged.name}
@@RPC_PASSWORD@@
${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file = ${cfg.rpcWalletFile}"} ${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file = ${cfg.rpcWalletFile}"}
[MESSAGING:server1] [MESSAGING:server1]
@ -237,11 +236,13 @@ in {
requires = [ "bitcoind.service" ]; requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
preStart = '' preStart = ''
install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg {
sed -i \ cat ${configFile}
"s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \ echo
'${cfg.dataDir}/joinmarket.cfg' echo '[BLOCKCHAIN]'
''; echo "rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)"
} > '${cfg.dataDir}/joinmarket.cfg'
'';
# Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet # Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
postStart = mkIf (bitcoind.network == "mainnet") '' postStart = mkIf (bitcoind.network == "mainnet") ''
walletname=wallet.jmdat walletname=wallet.jmdat
@ -252,12 +253,14 @@ in {
${bitcoind.cli}/bin/bitcoin-cli -named createwallet \ ${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
wallet_name="${cfg.rpcWalletFile}" disable_private_keys=true wallet_name="${cfg.rpcWalletFile}" disable_private_keys=true
''} ''}
pw=$(cat "${secretsDir}"/jm-wallet-password)
cd ${cfg.dataDir} cd ${cfg.dataDir}
if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \ # Strip trailing newline from password file
| grep 'recovery_seed' \ if ! tr -d "\n" <"${secretsDir}/jm-wallet-password" \
| cut -d ':' -f2 \ | ${nbPkgs.joinmarket}/bin/jm-genwallet \
| (umask u=r,go=; cat > jm-wallet-seed); then --datadir=${cfg.dataDir} --wallet-password-stdin $walletname \
| grep 'recovery_seed' \
| cut -d ':' -f2 \
| (umask u=r,go=; cat > jm-wallet-seed); then
echo "wallet creation failed" echo "wallet creation failed"
rm -f "$wallet" jm-wallet-seed rm -f "$wallet" jm-wallet-seed
exit 1 exit 1