From 318d738131294487a24348c11731f2365cc9a97e Mon Sep 17 00:00:00 2001 From: Martin Habovstiak Date: Sat, 17 Jul 2021 10:45:17 +0200 Subject: [PATCH] lnd: allow group reading admin macaroon This changes file reation mode on admin macaroon from 0600 to 0640. The reason is to make permission management easier. Closes #4385 **Is this safe?** Yes, it is. Assuming a reasonably secure Linux system, it will have a separate group for each user. E.g. a new user `lnd` gets assigned group `lnd` which nothing else belongs to. A system that does not do this is inherently broken already. Since there is no other user in the group, no other user can read admin macaroon unless the administrator explicitly allowed it. Thus there's no harm allowing group read. --- docs/release-notes/release-notes-0.14.0.md | 14 ++++++++++++++ lnd.go | 20 +++++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/release-notes-0.14.0.md b/docs/release-notes/release-notes-0.14.0.md index 293269e70..a975e68b6 100644 --- a/docs/release-notes/release-notes-0.14.0.md +++ b/docs/release-notes/release-notes-0.14.0.md @@ -5,6 +5,19 @@ [Return payment address and add index from addholdinvoice call](https://github.com/lightningnetwork/lnd/pull/5533). +## Security + +### Admin macaroon permissions + +The default file permissions of admin.macaroon were [changed from 0600 to +0640](https://github.com/lightningnetwork/lnd/pull/5534). This makes it easier +to allow other users to manage LND. This is safe on common Unix systems +because they always create a new group for each user. + +If you use a strange system or changed group membership of the group running LND +you may want to check your system to see if it introduces additional risk for +you. + # Build System [A new pre-submit check has been @@ -31,4 +44,5 @@ the release notes folder that at leasts links to PR being added. # Contributors (Alphabetical Order) * ErikEk +* Martin Habovstiak * Zero-1729 diff --git a/lnd.go b/lnd.go index bd0f2839d..7a05f5175 100644 --- a/lnd.go +++ b/lnd.go @@ -56,6 +56,22 @@ import ( "github.com/lightningnetwork/lnd/watchtower/wtdb" ) +const ( + // adminMacaroonFilePermissions is the file permission that is used for + // creating the admin macaroon file. + // + // Why 640 is safe: + // Assuming a reasonably secure Linux system, it will have a + // separate group for each user. E.g. a new user lnd gets assigned group + // lnd which nothing else belongs to. A system that does not do this is + // inherently broken already. + // + // Since there is no other user in the group, no other user can read + // admin macaroon unless the administrator explicitly allowed it. Thus + // there's no harm allowing group read. + adminMacaroonFilePermissions = 0640 +) + // AdminAuthOptions returns a list of DialOptions that can be used to // authenticate with the RPC server with admin capabilities. // skipMacaroons=true should be set if we don't want to include macaroons with @@ -1255,7 +1271,9 @@ func genMacaroons(ctx context.Context, svc *macaroons.Service, if err != nil { return err } - if err = ioutil.WriteFile(admFile, admBytes, 0600); err != nil { + + err = ioutil.WriteFile(admFile, admBytes, adminMacaroonFilePermissions) + if err != nil { _ = os.Remove(admFile) return err }