btcpayserver: fix whitelist security issue

Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.

Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.

After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
This commit is contained in:
Erik Arvstedt 2021-10-15 15:56:14 +02:00
parent df2070b44a
commit ec4a4dbe41
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -119,7 +119,7 @@ in {
# Enable p2p connections
listen = true;
extraConfig = ''
whitelist=${nbLib.address cfg.nbxplorer.address}
whitelist=download@${nbLib.address cfg.nbxplorer.address}
'';
};
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
@ -128,9 +128,6 @@ in {
enable = true;
# Enable p2p connections
listen = true;
extraConfig = ''
whitelist=${nbLib.address cfg.nbxplorer.address}
'';
};
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {