Skip to content

Fix systemd service file configuration directory setup #16556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fanquake merged 4 commits into from
Aug 29, 2019
Merged

Fix systemd service file configuration directory setup #16556

fanquake merged 4 commits into from
Aug 29, 2019

Conversation

@setpill
Copy link
Contributor

@setpill setpill commented Aug 6, 2019

Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix.

Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC.

@laanwj
Copy link
Member

laanwj commented Aug 6, 2019

Looks similar to #15995

@setpill
Copy link
Contributor Author

setpill commented Aug 6, 2019

Added suggested improvements and fixes from #15995

@setpill setpill changed the title Fix systemd service perms Fix systemd service file configuration directory setup Aug 6, 2019
@sipsorcery
Copy link
Contributor

sipsorcery commented Aug 17, 2019
edited
Loading

tACK 6c8b98b5bf8c3e6c797544b2c7f0a0fc5f5afda6 74f741d49c3763d082fc15fda7f342515faf4210 (read the commits in the wrong date order)

Since this has cropped up again IMHO either something like the fix in this PR should be merged or if not maybe we should at least add an extra step to the documentation informing users they MUST always explicitly set the ownership on the /etc/bitcoin directory.

The doc/init.md file states:

The configuration file, PID directory (if applicable) and data directory should all be owned by the bitcoin user and group. It is advised for security reasons to make the configuration file and data directory only readable by the bitcoin user and group. Access to bitcoin-cli and other bitcoind rpc clients can then be controlled by group membership.

NOTE: When using the systemd .service file, the creation of the aforementioned directories and the setting of their permissions is automatically handled by systemd. Directories are given a permission of 710, giving the bitcoin group access to files under it if the files themselves give permission to the bitcoin group to do so (e.g. when -sysperms is specified). This does not allow for the listing of files under the directory.

The problem is this sentence When using the systemd .service file, the creation of the aforementioned directories and the setting of their permissions is automatically handled by systemd. At least on Ubuntu 18.04 it's wrong. If the creation of the /etc/bitcoin directory is left up to systemd the result is:

$ sudo ls -l /etc
drwx--x--- 2 root root       4096 Aug 17 12:34 bitcoin
$ sudo ls -l /etc/bitcoin
-rw-r--r-- 1 bitcoin bitcoin 6455 Aug 17 12:34 bitcoin.conf

Which results in:

sudo systemctl start bitcoind

2019-08-17T12:58:29Z Bitcoin Core version v0.18.1 (release build)
2019-08-17T12:58:29Z Assuming ancestors of block 0000000000000000000f1c54590ee18d15ec70e68c8cd4cfbadb1b4f11697eee have valid signatures.
2019-08-17T12:58:29Z Setting nMinimumChainWork=0000000000000000000000000000000000000000051dc8b82f450202ecb3d471
2019-08-17T12:58:29Z Using the 'sse4(1way),sse41(4way),avx2(8way)' SHA256 implementation
2019-08-17T12:58:29Z Using RdSeed as additional entropy source
2019-08-17T12:58:29Z Using RdRand as an additional entropy source
2019-08-17T12:58:29Z Default data directory /home/admin/.bitcoin
2019-08-17T12:58:29Z Using data directory /var/lib/bitcoind
2019-08-17T12:58:29Z

************************
EXCEPTION: N5boost10filesystem16filesystem_errorE
boost::filesystem::status: Permission denied: "/etc/bitcoin/bitcoin.conf"
bitcoin in AppInit()



************************
EXCEPTION: N5boost10filesystem16filesystem_errorE
boost::filesystem::status: Permission denied: "/etc/bitcoin/bitcoin.conf"
bitcoin in AppInit()

2019-08-17T12:58:29Z Shutdown: In progress...
2019-08-17T12:58:29Z Shutdown: done

The fix is:

$ sudo chown bitcoin:bitcoin /etc/bitcoin
$ ls -l /etc
drwx--x--- 2 bitcoin bitcoin    4096 Aug 17 12:34 bitcoin

sudo systemctl start bitcoind

2019-08-17T13:09:13Z Bitcoin Core version v0.18.1 (release build)
2019-08-17T13:09:13Z Assuming ancestors of block 0000000000000000000f1c54590ee18d15ec70e68c8cd4cfbadb1b4f11697eee have valid signatures.
2019-08-17T13:09:13Z Setting nMinimumChainWork=0000000000000000000000000000000000000000051dc8b82f450202ecb3d471
2019-08-17T13:09:13Z Using the 'sse4(1way),sse41(4way),avx2(8way)' SHA256 implementation
2019-08-17T13:09:13Z Using RdSeed as additional entropy source
2019-08-17T13:09:13Z Using RdRand as an additional entropy source
2019-08-17T13:09:13Z Default data directory /home/bitcoin/.bitcoin
2019-08-17T13:09:13Z Using data directory /var/lib/bitcoind
2019-08-17T13:09:13Z Config file: /etc/bitcoin/bitcoin.conf
2019-08-17T13:09:13Z Using at most 125 automatic connections (1024 file descriptors available)
2019-08-17T13:09:13Z Using 16 MiB out of 32/2 requested for signature cache, able to store 524288 elements
2019-08-17T13:09:13Z Using 16 MiB out of 32/2 requested for script execution cache, able to store 524288 elements
2019-08-17T13:09:13Z Using 4 threads for script verification
2019-08-17T13:09:13Z HTTP: creating work queue of depth 16
2019-08-17T13:09:13Z No rpcpassword set - using random cookie authentication.
2019-08-17T13:09:13Z Generated RPC authentication cookie /var/lib/bitcoind/.cookie
2019-08-17T13:09:13Z HTTP: starting 4 worker threads
2019-08-17T13:09:13Z scheduler thread start
2019-08-17T13:09:13Z Using wallet directory /var/lib/bitcoind
2019-08-17T13:09:13Z init message: Verifying wallet(s)...
2019-08-17T13:09:13Z Using BerkeleyDB version Berkeley DB 4.8.30: (April  9, 2010)
2019-08-17T13:09:13Z Using wallet /var/lib/bitcoind
2019-08-17T13:09:13Z BerkeleyEnvironment::Open: LogDir=/var/lib/bitcoind/database ErrorFile=/var/lib/bitcoind/db.log
2019-08-17T13:09:13Z init message: Loading banlist...
2019-08-17T13:09:13Z ERROR: DeserializeFileDB: Failed to open file /var/lib/bitcoind/banlist.dat
2019-08-17T13:09:13Z Invalid or missing banlist.dat; recreating
2019-08-17T13:09:13Z Cache configuration:
2019-08-17T13:09:13Z * Using 2.0 MiB for block index database
2019-08-17T13:09:13Z * Using 8.0 MiB for chain state database
2019-08-17T13:09:13Z * Using 440.0 MiB for in-memory UTXO set (plus up to 286.1 MiB of unused mempool space)
2019-08-17T13:09:13Z init message: Loading block index...
2019-08-17T13:09:13Z Opening LevelDB in /var/lib/bitcoind/blocks/index
2019-08-17T13:09:13Z Opened LevelDB successfully

@setpill
Copy link
Contributor Author

setpill commented Aug 19, 2019
edited
Loading

@sipsorcery 6c8b98b is potentially dangerous; see #15995 (comment) (quoted below for ease of reading).

I'm not convinced that this is a good idea. bitcoin.conf can contain secrets such as RPC account user/passwords, so restricting its permissions to root and whatever the uid/gid is that the service runs under makes sense.
(at least by default! of course admins can decide to weaken these permissions in specific cases)

I have since changed the PR to, rather than make the conf dir/file world-readable, make systemd set the group of the confdir to bitcoin as per #15995 (review) (relevant part quoted below):

Other options would be [..] to keep the current 0710 but change the group:

drwx--x--- root bitcoin /etc/bitcoin

with something like:

PermissionsStartOnly=true
ExecStartPre=chgrp bitcoin /etc/bitcoin

As well as included the hardening from your PR (ProtectHome).

ryanofsky
ryanofsky reviewed Aug 19, 2019
View reviewed changes
Copy link
Contributor

@ryanofsky ryanofsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 74f741d49c3763d082fc15fda7f342515faf4210. Looks good to me, but please rebase and drop the first commit (6c8b98b5bf8c3e6c797544b2c7f0a0fc5f5afda6). It's confusing to keep that commit when the change it makes is just reverted later by the third commit (eeb046abb8187da85e6e6f6570c06e9620595d5a).

setpill added 4 commits August 20, 2019 10:54
@setpill
Improve clarity of systemd service file comments
aded052 
The phrasing seemed to indicate that the options specified in
ExecStart= could not be specified in the config file, necessitating
their inclusion in the service file. However, the options in the
config file simply get overridden by any specified in ExecStart=.
@setpill
Chgrp config dir to bitcoin in systemd service
639a416 
Rather than making the config dir world-readable, which potentially
leaks RPC credentials, the group of the directory is changed to the one
the service is executed as.
@setpill
Set ProtectHome in systemd service file
870d415 
Further hardening; the service should be run with as many restrictions
as possible without breaking it.
@setpill
Unrecommend making config file owned by bitcoin
f3b57f4 
The bitcoin user needs read access to the configuration file, but write
access is not needed. It is not considered best practice to make
configuration directories and files owned by the services reading them.
@setpill setpill force-pushed the fix-systemd-service-perms branch from 74f741d to f3b57f4 Compare August 20, 2019 08:54
@DrahtBot
Copy link
Contributor

DrahtBot commented Aug 24, 2019
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

ryanofsky
ryanofsky approved these changes Aug 27, 2019
View reviewed changes
Copy link
Contributor

@ryanofsky ryanofsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK f3b57f4. Only change since last review is removing ConfigurationDirectoryMode churn in early commits

@fanquake
Copy link
Member

fanquake commented Aug 28, 2019

@sipsorcery @dongcarl Want to take another look here?

@sipsorcery
Copy link
Contributor

sipsorcery commented Aug 28, 2019

tACK f3b57f4 (nothing changed since previous tACK).

fanquake added a commit that referenced this pull request Aug 29, 2019
@fanquake
Merge #16556: Fix systemd service file configuration directory setup
fc5b756 
f3b57f4 Unrecommend making config file owned by bitcoin (setpill)
870d415 Set ProtectHome in systemd service file (setpill)
639a416 Chgrp config dir to bitcoin in systemd service (setpill)
aded052 Improve clarity of systemd service file comments (setpill)

Pull request description:

  Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix.

  Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC.

ACKs for top commit:
  sipsorcery:
    tACK f3b57f4 (nothing changed since previous tACK).
  ryanofsky:
    utACK f3b57f4. Only change since last review is removing ConfigurationDirectoryMode churn in early commits

Tree-SHA512: 2188345878925b9e8a5c2c3df8dfba443720e2252a164db54a8e1d8007846721497b2d98c56f1d9b60a9a9ed4fdb1156c7b02c699616b220a9b614671617d32a
@fanquake fanquake merged commit f3b57f4 into bitcoin:master Aug 29, 2019
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Aug 29, 2019
@fanquake @sidhujag
Merge bitcoin#16556: Fix systemd service file configuration directory…
458a308 
… setup

f3b57f4 Unrecommend making config file owned by bitcoin (setpill)
870d415 Set ProtectHome in systemd service file (setpill)
639a416 Chgrp config dir to bitcoin in systemd service (setpill)
aded052 Improve clarity of systemd service file comments (setpill)

Pull request description:

  Rationale: ran into a bug with the systemd service file, fixed it locally and figured I might as well contribute my fix.

  Also fixed some unrelated confusing phrasing in the comments of the same file, after discussion in IRC.

ACKs for top commit:
  sipsorcery:
    tACK f3b57f4 (nothing changed since previous tACK).
  ryanofsky:
    utACK f3b57f4. Only change since last review is removing ConfigurationDirectoryMode churn in early commits

Tree-SHA512: 2188345878925b9e8a5c2c3df8dfba443720e2252a164db54a8e1d8007846721497b2d98c56f1d9b60a9a9ed4fdb1156c7b02c699616b220a9b614671617d32a
@hebasto
Copy link
Member

hebasto commented Sep 29, 2019

FWIW, PermissionsStartOnly, introduced in this PR, is deprecated.

@setpill setpill deleted the fix-systemd-service-perms branch September 30, 2019 09:52
@setpill setpill mentioned this pull request Sep 30, 2019
Closed
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Dec 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ryanofsky ryanofsky ryanofsky approved these changes

Assignees

No one assigned

Labels

Scripts and tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@setpill @laanwj @sipsorcery @DrahtBot @fanquake @hebasto @ryanofsky