init: Add option for rpccookie permissions (replace 26088)

[willcl-ark]

This PR picks up #26088 by aureleoules which adds a bitcoind launch option -rpccookieperms to set the file permissions of the cookie generated by bitcoin core.

Example usage to make the generated cookie group-readable: ./src/bitcoind -rpccookieperms=group.

Accepted values for -rpccookieperms are [owner|group|all]. We let fs::perms handle platform-specific permissions changes.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	achow101, ryanofsky, tdb3
Approach ACK	jamesob

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #29641 (scripted-diff: Use LogInfo/LogDebug over LogPrintf/LogPrint by maflcko)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[DrahtBot]

Are you still working on this?

[willcl-ark]

Updated to address luke's comment and added a test to ensure rpccookieperms are being applied

[willcl-ark]

Rebased now that #28905 is merged.

[luke-jr]

This won't work if multiple bits are set

[luke-jr]

These bits seem to typically manifest by replacing the 'x' field with either 's' (setuid/setgid+executable), 'S' (setuid/setgid WITHOUT executable), 't' (sticky+exec), or 'T' (sticky NO exec)

[kristapsk]

Should the permissions that can be set limited here? There is no reason to ever set +x on an RPC cookie file.

[luke-jr]

I'm not sure there's a reason to ever set +w either... maybe it should just be -rpccookieaccess user/group/all or something

[kristapsk]

I'm not sure there's a reason to ever set +w either... maybe it should just be -rpccookieaccess user/group/all or something

Agree, makes sense. Giving read access to other users is the only use case of this functionality I know of.

[ryanofsky]

Code review ACK e479803. Seems very clean now with the test simplification and without the win32 stuff.

[ryanofsky]

In commit "init: add option for rpccookie permissions" (7ad5349)

Could move this variable inside the if statement since it's not used afterwards.

[willcl-ark]

Moved in 9eff560

[tdb3]

re ACK e479803

Ran rpc_users locally (passed).
Re-ran the manual check in #28167 (review) (same results).
Left one minor nit.

[tdb3]

nit: If touching this file again, may want to consider defining a default argument for cookie_perms. Since std::optional is used, I'm assuming the intent is not to force the caller to provide an optional object.

diff --git a/src/rpc/request.h b/src/rpc/request.h
index b40df16631..c7e723d962 100644
--- a/src/rpc/request.h
+++ b/src/rpc/request.h
@@ -19,7 +19,7 @@ std::string JSONRPCReply(const UniValue& result, const UniValue& error, const Un
 UniValue JSONRPCError(int code, const std::string& message);
 
 /** Generate a new RPC authentication cookie and write it to disk */
-bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie_perms);
+bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie_perms=std::nullopt);
 /** Read the RPC authentication cookie from disk */
 bool GetAuthCookie(std::string *cookie_out);
 /** Delete RPC authentication cookie from disk */

GenerateAuthCookie() is currently used with the argument provided, so not a big deal either way.

[willcl-ark]

Added in 49d5bfd

[achow101]

In 31cc8bc "test: add rpccookieperms test"

Since #29034, the preferred convention is to use platform.system() rather than os.name.

[willcl-ark]

Thanks, updated in 49d5bfd

[achow101]

In 31cc8bc "test: add rpccookieperms test"

This is incorrect. It causes the entire test file to be marked as skipped (different exit code, marked differently in the test runner output) even though everything else ran. The correct thing here is to skip this individual case, which can be achieved by simply returning.

[tdb3]

Good catch. Might also be good to print a log message before returning for awareness.

[willcl-ark]

Oh no! fixed in 49d5bfd

[achow101]

In 38af55e "util: add PermsToString and StringToPerms"

nit: This naming is a little bit confusing to me since it suggests that these functions are inverses of each other, but they're not as their string outputs are not compatible.

[willcl-ark]

I agree on reflection, gave them new names in 49d5bfd

[achow101]

In 7ad5349 "init: add option for rpccookie permissions"

This comment is removed, but the umask is still what sets the permissions in the default case.

Since we can set the permissions explicitly in this function, I think it would make sense to always set them with owner as default rather than relying on the umask that happens somewhere else.

[ryanofsky]

re: #28167 (comment)

This comment is removed, but the umask is still what sets the permissions in the default case.

Good catch, it would be good to add back the comment.

Since we can set the permissions explicitly in this function, I think it would make sense to always set them with owner as default rather than relying on the umask that happens somewhere else.

The PR was actually doing this originally, but I suggested doing the opposite in #28167 (comment). It makes sense to me that when -rpccookieperms option is not specified, bitcoind would not set permissions on this file, just like it is not setting permissions on other files.

It seems fragile to rely on the fs::permissions call doing the right thing on all filesystems, when its behavior is not specified anywhere and we have never relied on it before. The documentation points to some odd ways it can be behave like "changing some bits may automatically change others" and we don't know what unusual things it may do on fuse filesystems or filesystems that use ACLs.

[willcl-ark]

I've un-removed the comment in 9eff560, as I agree with @ryanofsky that not changing the existant behaviour is the "safer" default, and new behaviour can be introduced with the new option.

[tdb3]

re ACK 4f6b00c

Ran rpc_users locally (passed).
Re-ran the manual check in #28167 (review) (same results).
Also sanity checked on a Windows machine running Python 3.9.13 that platform.system() does return "Windows".
Left one minor nit.

[DrahtBot]

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the
documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being
incompatible with the current code in the target branch). If so, make sure to rebase on the latest
commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/26763232631}

[achow101]

ACK 73f0a6c

[ryanofsky]

Code review ACK 73f0a6c. Main change since last review is no longer throwing a skip exception in the rpc test on windows, so other checks can run after it, and overall test result is passing, not skipped. Also were clarifying renames and documentation improvements.

[tdb3]

cr ACK 73f0a6c

[Sjors]

Nice! Will try this out soon.

Update 2024-07-11: works like a charm and allowed me to drop some ugliness from systemd config.