-
Notifications
You must be signed in to change notification settings - Fork 35.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to disable 077 umask (create new files with system default umask) #4286
Conversation
… umask) The option is only effective for either wallet-less builds or if -disablewallet is specified as well.
|
Hey Jeff I agree that it's a bit messy. Here's another version. It keeps the umask call in the same place, only adds 11 lines of code, and I've changed the option name to "-sysperms". But you can name it anything you want, I'm not good with names. Is that better? |
IMO we really shouldn't be changing umask at all, just opening sensitive files with the correct mode... |
@luke-jr I agree that would be much more elegant. The wallet (and associated environment files) should have the minimum possible permissions, whereas the block files and leveldb indices should be readable by anyone (or at least - as defined by the inherited umask). |
I agree that the best solution is to not change the umask at all, but selective create sensitive files with the appropriate permissions. And when that is implemented, the code that this patch changes should be removed as a part of it. But until it's done the proper way, this patch offers a way to get around the problems associated with ignoring system default permissions. |
umask(077); | ||
|
||
#ifdef ENABLE_WALLET | ||
if (!GetBoolArg("-sysperms", false) || !GetBoolArg("-disablewallet", false)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For sake of explicitness you could make it a fatal error if -sysperms
is specified but the wallet is enabled. I like that slightly more than ignoring the conflict.
@runeksvendsen Agreed. This is the simplest solution for now, and offers blanket protection. It's easy to forget setting the umask for some wallet-related thing or another. |
So why not just skip umask in the disablewallet case? Why do we need -sysperms? |
#else | ||
if (!GetBoolArg("-sysperms", false)) | ||
umask(077); | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about (same logic, reduces the number of GetBoolArg calls to one for each option):
if (GetBoolArg("-sysperms", false)) {
#ifdef ENABLE_WALLET
if (!GetBoolArg("-disablewallet", false))
return InitError("E....")
#endif
} else {
umask(077);
}
@laanwj I can do that. I thought about that as well, but I didn't do it because I thought the other approach would be clearer, and I was unsure about how an empty if-clause is handled (in case ENABLE_WALLET isn't set). With the wallet functionality enabled, if debug.log does not exist and only -sysperms is passed (and not -disablewallet), debug.log will be created with system default permissions (ie. not 600). Not sure if this could pose a problem, but I just thought I would mention it anyway. |
@runeksvendsen empty if clauses are perfectly safe, if you surround them with braces like done here. @cozz well this is more explicit; having the umask setting be a property of enable-wallet mode doesn't pass the principle of least surprise for me. |
@@ -210,6 +210,9 @@ std::string HelpMessage(HelpMessageMode hmm) | |||
strUsage += " -pid=<file> " + _("Specify pid file (default: bitcoind.pid)") + "\n"; | |||
strUsage += " -reindex " + _("Rebuild block chain index from current blk000??.dat files") + " " + _("on startup") + "\n"; | |||
strUsage += " -txindex " + _("Maintain a full transaction index (default: 0)") + "\n"; | |||
#if !defined(WIN32) | |||
strUsage += " -sysperms " + _("Create new files with system default permissions, instead of umask 077 (only effective with disabled wallet functionality)") + "\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: leave the command-line options sorted within their category
Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/p4286_7e09b36ea5316671dfc86df62d90f78597b22fe9/ for binaries and test log. |
In the future please try to get the "this is useful" text describing the motivation into the commit message. I was scratching my head at this. :) |
@gmaxwell Good to know. I will do that in the future. |
… umask) The option is only effective for either wallet-less builds or if -disablewallet is specified as well. Rebased-By: Wladimir J. van der Laan <laanwj@gmail.com> Rebased-From: 34d5fc0 4e1a196 bd4307b d53a33b 7e09b36 Github-Pull: bitcoin#4286 (cherry picked from commit bdd5b58) # Conflicts: # src/init.cpp
The option is only effective for either wallet-less builds or if
-disablewallet is specified as well.
This is useful when the wallet is handled by an application other than bitcoind (for example Armory). If bitcoind runs as a user different from the user that runs Armory, Armory is not able to read the blockchain files that it needs to. This allows bitcoind to be run as a separate user and function with Armory (and other applications that need to read bitcoind data files) at the same time.