Document RPC security assumptions #1575

Merged
merged 3 commits into from Oct 21, 2016

Conversation

Projects
None yet
5 participants
@arcalinea
Contributor

arcalinea commented Oct 20, 2016

Document RPC security assumptions in security-warnings.md #965

doc/security-warnings.md
+RPC Interface
+---------------
+
+If the client knows the RPC password, they have full access to the node. Users should choose a strong RPC password, and refrain from changing the default setting that only allows RPC connections from localhost. A remote host would enable a MITM to execute arbitrary RPC commands. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.

This comment has been minimized.

@daira

daira Oct 20, 2016

Contributor

If the client knows the RPC password, they have at least full access to the node. In addition, certain RPC commands can be misused to overwrite files and/or take over the account that is running zcashd. (We may in future restrict those commands, but full node access –including the ability to spend from keys held by the wallet and export those keys– would still be possible unless wallet methods are disabled.)

Users should choose a strong RPC password, and refrain from changing the default setting that only allows RPC connections from localhost. Allowing connections from remote hosts would enable a MITM to execute arbitrary RPC commands, which could lead to compromise of the account running zcashd and loss of funds. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.

@daira

daira Oct 20, 2016

Contributor

If the client knows the RPC password, they have at least full access to the node. In addition, certain RPC commands can be misused to overwrite files and/or take over the account that is running zcashd. (We may in future restrict those commands, but full node access –including the ability to spend from keys held by the wallet and export those keys– would still be possible unless wallet methods are disabled.)

Users should choose a strong RPC password, and refrain from changing the default setting that only allows RPC connections from localhost. Allowing connections from remote hosts would enable a MITM to execute arbitrary RPC commands, which could lead to compromise of the account running zcashd and loss of funds. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.

This comment has been minimized.

@str4d

str4d Oct 20, 2016

Contributor

[comment] If no RPC username and password is set, zcashd will not start and prints an error message with a suggestion for a strong random RPC password.

@str4d

str4d Oct 20, 2016

Contributor

[comment] If no RPC username and password is set, zcashd will not start and prints an error message with a suggestion for a strong random RPC password.

This comment has been minimized.

@ZeroBit

ZeroBit Nov 3, 2016

Is it allowable to change rpcpassword from time to time? If I change password how will it affect my wallet and funds? Should I generate new z- and t- addrs?

@ZeroBit

ZeroBit Nov 3, 2016

Is it allowable to change rpcpassword from time to time? If I change password how will it affect my wallet and funds? Should I generate new z- and t- addrs?

@daira

This comment has been minimized.

Show comment
Hide comment
@daira

daira Oct 20, 2016

Contributor

ACK. @zkbot r+

Contributor

daira commented Oct 20, 2016

ACK. @zkbot r+

@zkbot

This comment has been minimized.

Show comment
Hide comment
@zkbot

zkbot Oct 20, 2016

Contributor

📌 Commit 78376ca has been approved by daira

Contributor

zkbot commented Oct 20, 2016

📌 Commit 78376ca has been approved by daira

@daira daira added this to the 1.0.0-rc2 milestone Oct 20, 2016

zkbot pushed a commit that referenced this pull request Oct 20, 2016

zkbot
Auto merge of #1575 - arcalinea:document-rpc-security, r=daira
Document RPC security assumptions

Document RPC security assumptions in security-warnings.md #965
@zkbot

This comment has been minimized.

Show comment
Hide comment
@zkbot

zkbot Oct 20, 2016

Contributor

⌛️ Testing commit 78376ca with merge 78293a9...

Contributor

zkbot commented Oct 20, 2016

⌛️ Testing commit 78376ca with merge 78293a9...

@zkbot

This comment has been minimized.

Show comment
Hide comment
@zkbot

zkbot Oct 21, 2016

Contributor

☀️ Test successful - zcash

Contributor

zkbot commented Oct 21, 2016

☀️ Test successful - zcash

@zkbot zkbot merged commit 78376ca into zcash:master Oct 21, 2016

1 check passed

homu Test successful
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment