From 68bd6da583607fb1b0ca74695d823d8efffb4dd1 Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Wed, 26 Jul 2023 18:53:01 +0000 Subject: [PATCH 1/3] RPC: Log if -rpccookieperms is being used --- src/httprpc.cpp | 3 ++- src/rpc/request.cpp | 11 +++++++---- src/rpc/request.h | 3 ++- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/httprpc.cpp b/src/httprpc.cpp index c4297b8280..ae767be8d6 100644 --- a/src/httprpc.cpp +++ b/src/httprpc.cpp @@ -24,6 +24,7 @@ #include #include #include +#include #include using util::SplitString; @@ -305,7 +306,7 @@ static bool InitRPCAuthentication() } assert(strRPCUserColonPass.empty()); // Only support initializing once - if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) { + if (!GenerateAuthCookie(&strRPCUserColonPass, std::make_pair(cookie_perms, bool(cookie_perms_arg)))) { return false; } if (strRPCUserColonPass.empty()) { diff --git a/src/rpc/request.cpp b/src/rpc/request.cpp index c55d33dac2..175f83ef8f 100644 --- a/src/rpc/request.cpp +++ b/src/rpc/request.cpp @@ -16,6 +16,7 @@ #include #include #include +#include #include /** @@ -97,7 +98,7 @@ static fs::path GetAuthCookieFile(bool temp=false) static bool g_generated_cookie = false; -bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie_perms) +bool GenerateAuthCookie(std::string* cookie_out, const std::pair, bool>& cookie_perms) { const size_t COOKIE_SIZE = 32; unsigned char rand_pwd[COOKIE_SIZE]; @@ -118,9 +119,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie return false; } - if (cookie_perms) { + if (cookie_perms.first) { std::error_code code; - fs::permissions(filepath_tmp, cookie_perms.value(), fs::perm_options::replace, code); + fs::permissions(filepath_tmp, cookie_perms.first.value(), fs::perm_options::replace, code); if (code) { LogWarning("Unable to set permissions on cookie authentication file %s", fs::PathToString(filepath_tmp)); return false; @@ -138,7 +139,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie g_generated_cookie = true; LogInfo("Generated RPC authentication cookie %s\n", fs::PathToString(filepath)); - LogInfo("Permissions used for cookie: %s\n", PermsToSymbolicString(fs::status(filepath).permissions())); + LogInfo("Permissions used for cookie%s: %s\n", + cookie_perms.second ? " (set by -rpccookieperms)" : "", + PermsToSymbolicString(fs::status(filepath).permissions())); if (cookie_out) *cookie_out = cookie; diff --git a/src/rpc/request.h b/src/rpc/request.h index 24887e8691..fb379a95f8 100644 --- a/src/rpc/request.h +++ b/src/rpc/request.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -24,7 +25,7 @@ UniValue JSONRPCReplyObj(UniValue result, UniValue error, std::optional cookie_perms=std::nullopt); +bool GenerateAuthCookie(std::string* cookie_out, const std::pair, bool>& cookie_perms); /** Read the RPC authentication cookie from disk */ bool GetAuthCookie(std::string *cookie_out); /** Delete RPC authentication cookie from disk */ From 6da7613ee52024a60360d9bc5a461d117080e1a6 Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Sun, 31 Dec 2023 01:11:11 +0000 Subject: [PATCH 2/3] RPC: Use normal stringification for perms_to_str --- src/util/fs_helpers.cpp | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/src/util/fs_helpers.cpp b/src/util/fs_helpers.cpp index 41c8fe3b8f..e73351189c 100644 --- a/src/util/fs_helpers.cpp +++ b/src/util/fs_helpers.cpp @@ -275,21 +275,37 @@ std::string PermsToSymbolicString(fs::perms p) { std::string perm_str(9, '-'); - auto set_perm = [&](size_t pos, fs::perms required_perm, char letter) { + auto set_perm = [&](size_t pos, fs::perms required_perm, char letter, char else_letter = '\0') { if ((p & required_perm) != fs::perms::none) { perm_str[pos] = letter; + } else if (else_letter) { + perm_str[pos] = else_letter; } }; set_perm(0, fs::perms::owner_read, 'r'); set_perm(1, fs::perms::owner_write, 'w'); - set_perm(2, fs::perms::owner_exec, 'x'); + if ((p & fs::perms::owner_exec) != fs::perms::none) { + set_perm(2, fs::perms::set_uid, 's', 'x'); + } else { + set_perm(2, fs::perms::set_uid, 'S'); + } + set_perm(3, fs::perms::group_read, 'r'); set_perm(4, fs::perms::group_write, 'w'); - set_perm(5, fs::perms::group_exec, 'x'); + if ((p & fs::perms::group_exec) != fs::perms::none) { + set_perm(5, fs::perms::set_gid, 's', 'x'); + } else { + set_perm(5, fs::perms::set_gid, 'S'); + } + set_perm(6, fs::perms::others_read, 'r'); set_perm(7, fs::perms::others_write, 'w'); - set_perm(8, fs::perms::others_exec, 'x'); + if ((p & fs::perms::others_exec) != fs::perms::none) { + set_perm(8, fs::perms::sticky_bit, 't', 'x'); + } else { + set_perm(8, fs::perms::sticky_bit, 'T'); + } return perm_str; } From 20aab08a6a1bcc759cadf2e7c2cd1ad8fc9763b7 Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Thu, 16 May 2024 21:33:00 +0000 Subject: [PATCH 3/3] Bugfix: rpccookieperms: If rpccookieperms is disabled, the end permissions are NOT set by it (log output only) --- src/rpc/request.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpc/request.cpp b/src/rpc/request.cpp index 175f83ef8f..320667d7cf 100644 --- a/src/rpc/request.cpp +++ b/src/rpc/request.cpp @@ -140,7 +140,7 @@ bool GenerateAuthCookie(std::string* cookie_out, const std::pair