Skip to content

util: Set safe permissions for data directory and wallets/ subdir #17127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fanquake merged 3 commits into from
Feb 7, 2023
Merged

util: Set safe permissions for data directory and wallets/ subdir #17127

fanquake merged 3 commits into from
Feb 7, 2023

Conversation

@hebasto
Copy link
Member

@hebasto hebasto commented Oct 13, 2019
edited
Loading

On master (1e7564e) docs say:

$ ./src/bitcoind -help | grep -A 3 sysperms
  -sysperms
       Create new files with system default permissions, instead of umask 077
       (only effective with disabled wallet functionality)

Basing on that, one could expect that running bitcoind first time will create data directory and wallets/ subdirectory with safe 0700 permissions.

But that is not the case:

$ stat .bitcoin | grep id
Access: (0775/drwxrwxr-x)  Uid: ( 1000/ hebasto)   Gid: ( 1000/ hebasto)
$ stat .bitcoin/wallets | grep id
Access: (0775/drwxrwxr-x)  Uid: ( 1000/ hebasto)   Gid: ( 1000/ hebasto)

Both directories, in fact, are created with system default permissions.

With this PR:

$ stat .bitcoin/wallets | grep id
Access: (0700/drwx------)  Uid: ( 1000/ hebasto)   Gid: ( 1000/ hebasto)
$ stat .bitcoin/wallets | grep id
Access: (0700/drwx------)  Uid: ( 1000/ hebasto)   Gid: ( 1000/ hebasto)

This PR:

Changes in behavior: removed -sysperms command-line argument / configure option. The related discussions are here:

If users rely on non-default access permissions, they could use chmod.

@DrahtBot
Copy link
Contributor

DrahtBot commented Oct 13, 2019
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK john-moffett, willcl-ark
Concept ACK laanwj, practicalswift
Stale ACK jonasschnelli

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #26863 (test: merge banning test from p2p_disconnect_ban to rpc_setban by brunoerg)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

laanwj
laanwj reviewed Oct 14, 2019
View reviewed changes
src/util/system.cpp Outdated
Copy link
Member

@laanwj laanwj Oct 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GetDataDir, a getter, is not the place to do things such as set the umask. Please don't add these kind of side-effects.

Copy link
Member Author

@hebasto hebasto Oct 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe GetDataDir is not a proper name for this function as it already has an intended side-effect:
https://github.com/bitcoin/bitcoin/blob/ddd3cd30cb050fe9b8738778beecba1d8bd50d52/src/util/system.cpp#L777-L780

Copy link
Member

@laanwj laanwj Oct 14, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know. I kind of want to get rid of that too. But don't add any more

(edit: also I think setting umask is the worst kind of side effect possible, it's global state of the program over all threads)

Copy link
Member Author

@hebasto hebasto Oct 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

laanwj
laanwj reviewed Oct 14, 2019
View reviewed changes
@laanwj
Copy link
Member

laanwj commented Oct 14, 2019

Concept ACK on removing -sysperms.

@hebasto hebasto force-pushed the 20191013-permissions branch from ddd3cd3 to b43aa35 Compare October 14, 2019 11:29
@hebasto
Copy link
Member Author

hebasto commented Oct 14, 2019

@laanwj
Thank you for your review. All your comments have been addressed.

@hebasto hebasto force-pushed the 20191013-permissions branch from b43aa35 to 005649f Compare October 16, 2019 16:07
@hebasto
Copy link
Member Author

hebasto commented Oct 16, 2019

Rebased after #17138 has been merged.

laanwj
laanwj reviewed Oct 21, 2019
View reviewed changes
src/util/system.h Outdated
Copy link
Member

@laanwj laanwj Oct 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't SetupEnvironment be the right place for this? Or is that too early?

Copy link
Member Author

@hebasto hebasto Oct 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, SetDefaultUmask() is called just before the first possible disk write.

SetupEnvironment() seems too broad, as it is called in utilities too. And, yes, I think it is too early. But I could be wrong ;)

Copy link
Member

@laanwj laanwj Oct 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But does that matter? What would be the consequences of setting it too early? Why wouldn't we want to set the umask for the utilties?

Copy link
Member Author

@hebasto hebasto Oct 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't SetupEnvironment be the right place for this?

Agree.

@hebasto hebasto force-pushed the 20191013-permissions branch from 005649f to 7213e8c Compare October 26, 2019 18:37
@hebasto
Copy link
Member Author

hebasto commented Oct 26, 2019

@laanwj Thank you for review. Your comment has been addressed.

@hebasto
Copy link
Member Author

hebasto commented Nov 25, 2019

@promag Would you mind reviewing this PR?

This was referenced Feb 11, 2020
Merged
Merged
@hebasto hebasto force-pushed the 20191013-permissions branch from 7213e8c to 67b1209 Compare April 20, 2020 19:28
@hebasto
Copy link
Member Author

hebasto commented Apr 20, 2020

Rebased 7213e8c -> 67b1209 (pr17127.04 -> pr17127.05) due to the conflict with #15761.

@DrahtBot DrahtBot mentioned this pull request May 6, 2020
Closed
@hebasto hebasto force-pushed the 20191013-permissions branch from 67b1209 to 297e61c Compare May 9, 2020 03:50
@hebasto
Copy link
Member Author

hebasto commented May 9, 2020

Rebased 67b1209 -> 297e61c (pr17127.05 -> pr17127.06) due to the conflict with #16224.

@DrahtBot DrahtBot mentioned this pull request May 14, 2020
Merged
@jonasschnelli
Copy link
Contributor

jonasschnelli commented May 29, 2020

utACK 297e61c

@jonasschnelli jonasschnelli mentioned this pull request Jun 5, 2020
Closed
@DrahtBot DrahtBot mentioned this pull request Jun 5, 2020
Merged
@DrahtBot DrahtBot mentioned this pull request Nov 17, 2022
Closed
willcl-ark
willcl-ark approved these changes Nov 17, 2022
View reviewed changes
Copy link
Member

@willcl-ark willcl-ark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 9b105d7

The test datadir will have the following files created in it after node shutdown:

banlist.json, debug.log, fee_estimates.dat, mempool.dat, peers.dat, settings.json

Would it be worth adding a permissions test for e.g debug.log to check that the correct umask is also being applied to files?

@hebasto
Copy link
Member Author

hebasto commented Nov 30, 2022

@willcl-ark

The test datadir will have the following files created in it after node shutdown:

banlist.json, debug.log, fee_estimates.dat, mempool.dat, peers.dat, settings.json

Would it be worth adding a permissions test for e.g debug.log to check that the correct umask is also being applied to files?

Sorry, but I didn't quite get your suggestion. Mind elaborating it?

@willcl-ark
Copy link
Member

willcl-ark commented Nov 30, 2022

Sorry, but I didn't quite get your suggestion. Mind elaborating it?

My fault for not being clearer!

You added a test for directory permissions, but not not one for files. As files and folders will be created with different permissions, it might make sense to add this at the same time?

For directories the test covers datadir and walletsdir. For files I was suggesting we could test debug.log.

@willcl-ark
Copy link
Member

willcl-ark commented Dec 9, 2022

This also fixes #22595

@hebasto hebasto force-pushed the 20191013-permissions branch from 9b105d7 to 07c496d Compare December 9, 2022 13:16
@hebasto
Copy link
Member Author

hebasto commented Dec 9, 2022

Updated 9b105d7 -> 07c496d (pr17127.11 -> pr17127.12):

@hebasto hebasto mentioned this pull request Dec 9, 2022
Closed
@fanquake fanquake requested a review from willcl-ark December 20, 2022 16:41
willcl-ark
willcl-ark approved these changes Jan 6, 2023
View reviewed changes
Copy link
Member

@willcl-ark willcl-ark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 07c496d

Might want to add this to the release notes too?

fanquake
fanquake reviewed Jan 6, 2023
View reviewed changes
@DrahtBot DrahtBot mentioned this pull request Jan 10, 2023
Closed
@hebasto
Remove -sysperms option
8a6219e 
This change effectively reverts commits from
bitcoin#4286.

Users, who rely on non-default access permissions, should use `chmod`
command.
@hebasto hebasto force-pushed the 20191013-permissions branch from 07c496d to 15c7105 Compare February 5, 2023 08:09
@hebasto
Copy link
Member Author

hebasto commented Feb 5, 2023

Updated 07c496d -> 15c7105 (pr17127.12 -> pr17127.13):

john-moffett
john-moffett reviewed Feb 5, 2023
View reviewed changes
Copy link
Contributor

@john-moffett john-moffett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach ACK 15c7105

I agree that this may warrant an explicit release note considering a command line option is being dropped.

@hebasto
Apply default umask in SetupEnvironment()
581f16e 
This change makes all filesystem artifacts--files and directories--being
created with the default umask.
@hebasto
test: Add test for file system permissions
c9ba4f9
@hebasto hebasto force-pushed the 20191013-permissions branch from 15c7105 to c9ba4f9 Compare February 6, 2023 11:09
@hebasto
Copy link
Member Author

hebasto commented Feb 6, 2023

Updated 15c7105 -> c9ba4f9 (pr17127.13 -> pr17127.14, diff):

@john-moffett
Copy link
Contributor

john-moffett commented Feb 6, 2023

ACK c9ba4f9

willcl-ark
willcl-ark approved these changes Feb 6, 2023
View reviewed changes
Copy link
Member

@willcl-ark willcl-ark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK c9ba4f9

@fanquake fanquake merged commit 6e08e5c into bitcoin:master Feb 7, 2023
@hebasto hebasto deleted the 20191013-permissions branch February 7, 2023 11:36
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Feb 7, 2023
@fanquake
Merge bitcoin#17127: util: Set safe permissions for data directory an…
9c8d89e 
…d `wall…
@willcl-ark willcl-ark mentioned this pull request Mar 15, 2023
Closed
@willcl-ark willcl-ark mentioned this pull request Dec 7, 2023
Closed
@bitcoin bitcoin locked and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@laanwj laanwj laanwj left review comments

@fanquake fanquake fanquake left review comments

+2 more reviewers

@john-moffett john-moffett john-moffett left review comments

@willcl-ark willcl-ark willcl-ark approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Utils/log/libs

Projects

None yet

Milestone

No milestone

8 participants

@hebasto @DrahtBot @laanwj @jonasschnelli @practicalswift @willcl-ark @john-moffett @fanquake