re: #32297 (review)
I notice this ExecuteHTTPRPC()
bypasses our only authorization barrier for RPC which is an HTTP header, maybe you deal with this in another commit but that should probably be documented in the ipcbind
help text.
Makes sense, updated ipcbind help text to mention RPC authentication.
You also left behind the jreq.authUser
check for RPC whitelist – which I believe only gets filled in by HTTPReq_JSONRPC()
.
Yes the username is sent so the bitcoin-cli
-rpcuser
option works. Currently, the username is only used for applying the RPC method whitelist, but it’s possible to imagine the username being used for other things in the future like logging, or having per-user settings & defautls, or being used for other permissions & whitelists.
I guess you need to parse the request to get the method before checking the whitelist, but I just wonder if there’s a footgun where a user has a whitelist set up for HTTP and somehow that blocks their IPC usage.
I wouldn’t say it’s a necessarily a footgun if the node is configured with a whitelist and the whitelist is then appiled. But of course this could be surprising if unexpected. I think a few different alternatives would be possible here that have different tradeoffs:
-
Could require username and password or cookie to be specified to call RPCs over the unix socket. I wouldn’t like this approach because it would negate many advantages of using a unix socket: that you can control access based only on file permissions and don’t need to deal with cookie files or hashed passwords or firewall rules. For example I think it is nice that current approach lets you run a node on a remote ssh server and forward the socket over ssh without requiring clients to send a password, and also without exposing the socket to other processes on the server (unlike a TCP socket which is exposed to all local processes).
-
Could ignore bitcoin-cli -rpcuser
option and not send it to the server. This could be ok but be limiting in the future if we wanted to use the username for more things like logging or having per-user defaults and settings.
-
Could accept username but ignore it when applying the RPC method whitelist. Username could be used for other things in the future, but all RPCs would be available regardless of username, avoiding the footgun you mentioned
-
(Current approach). Username would be sent with all requests but no passwords or cookies would be required. Other than using file permissions instead of passwords and cookies for authentication, the IPC interface would work the same as the RPC interface, so for example server admins could verify that their whitelist was configured correctly by just specifying usernames and not needing to specify or even know user passwords (if they are hashed).
I think any of these approaches could work but I liked (4) for authenticating with file permissions instead of layering on another authentication mechanism, but after authenticating, respecting the username and treating users the same regardless of how they connect.