From 938312d7a6dcf06cb401a16651e80320f36ee4db Mon Sep 17 00:00:00 2001 From: crStiv Date: Fri, 15 Aug 2025 15:54:42 +0200 Subject: [PATCH] docs: clarify RPC credentials security boundary --- doc/JSON-RPC-interface.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/JSON-RPC-interface.md b/doc/JSON-RPC-interface.md index e7f085a377a..a9ea089d4bf 100644 --- a/doc/JSON-RPC-interface.md +++ b/doc/JSON-RPC-interface.md @@ -124,6 +124,22 @@ RPC interface will be abused. security-sensitive operations on a computer whose other programs you trust. +- **RPC Credentials Security Boundary:** Any client with valid RPC credentials + should be treated as having significant control over both the Bitcoin Core node + and the filesystem resources accessible by the `bitcoind` process. RPC commands + can load wallet files from paths that the `bitcoind` process has permission to + access, specify file paths for operations, and potentially gain broader access + than intended. This means that someone with RPC access can potentially compromise + not only the Bitcoin Core node, but also the machine it is running on. Bitcoin Core + provides the `-rpcwhitelist` option to restrict which RPC commands specific users + can access, and `-rpcwhitelistdefault` to control the default behavior for users + without explicit whitelists. However, when using multiple wallets or sharing access + with different users, these should not be considered robust security boundaries, as + users with access to certain commands may still be able to exploit functionality in + unexpected ways. For security-sensitive operations, implement proper system-level + isolation (containers, virtualization, separate user accounts with restricted + permissions) rather than relying solely on RPC access controls. + - **Securing remote network access:** You may optionally allow other computers to remotely control Bitcoin Core by setting the `rpcallowip` and `rpcbind` configuration parameters. These settings are only meant