docs: clarify RPC credentials security boundary #33196

pull crStiv wants to merge 1 commits into bitcoin:master from crStiv:ishak2 changing 1 files +16 −0
  1. crStiv commented at 1:56 pm on August 15, 2025: none

    Explicitly states that RPC credentials grant full administrative access to the node and filesystem resources accessible by bitcoind. Adds a new section in JSON-RPC-interface.md to address issue #32274 by documenting that providing RPC credentials to untrusted clients

    reopened #32424

    P.S. I’ve tried to somehow squash all the commits from the previous pr but accidentally closed the pr and had no idea how to return back, therefore created a new pr, I’m really sorry for the inconvenience

  2. DrahtBot added the label Docs on Aug 15, 2025
  3. DrahtBot commented at 1:56 pm on August 15, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/33196.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK janb84
    Stale ACK davidgumberg

    If your review is incorrectly listed, please copy-paste <!–meta-tag:bot-skip–> into the comment that the bot should ignore.

  4. janb84 commented at 9:03 am on August 18, 2025: contributor

    ACK 433954b6a5bd7480f7e05e58eafeac1dc6dfae7c

    This PR adds information about security considerations when using RPC clients. Although bitcoin-core has done everything to minimise the risks of using RPC, it’s good to inform the user of the risks and the extra security precautions the user can take.

    Informing the public about security risks and methods to mitigate them demonstrates responsible stewardship; therefore, I support this pull request.

  5. davidgumberg commented at 3:41 pm on October 21, 2025: contributor
    ACK 433954b
  6. in doc/JSON-RPC-interface.md:139 in 433954b6a5 
    134+  separate user accounts with restricted permissions) rather than relying solely on
135+  RPC access controls. While Bitcoin Core provides the `-rpcwhitelist` option to
136+  restrict which RPC commands specific users can access, and `-rpcwhitelistdefault`
137+  to control the default behavior for users without explicit whitelists, these should
138+  not be considered robust security boundaries, as users with access to certain
139+  commands may still be able to exploit functionality in unexpected ways.
    glozow commented at 4:52 pm on October 31, 2025:
    The first few sentences seem largely redundant with the rest of the docs (see few paragraphs of “Security” section, and “Secure authentication”. However, the bit about whitelisting RPC commands for specific users seems helpful.
    davidgumberg commented at 9:55 pm on November 20, 2025:
    I think the existing docs make it pretty clear that other processes/users with access to the machine can comprise the node, but I think what is not obvious in the existing docs is that the other direction is true as well, someone with RPC access can probably compromise the machine the bitcoind node is running on.
  7. crStiv force-pushed on Nov 3, 2025
  8. crStiv requested review from glozow on Nov 3, 2025
  9. docs: clarify RPC credentials security boundary 938312d7a6
  10. crStiv force-pushed on Dec 2, 2025
  11. crStiv requested review from davidgumberg on Dec 2, 2025
  12. sedited requested review from janb84 on Mar 16, 2026
  13. janb84 commented at 2:02 pm on March 16, 2026: contributor

    re ACK 938312d7a6dcf06cb401a16651e80320f36ee4db

    Still think its a valuable addition. It introduces a clearer and stronger trust-boundary statement that is not explicitly documented elsewhere. To me, users should be informed about this so that they do not compromise their node’s security unknowingly.

    Yes the paragraph is long and somewhat repetitive but it communicates the implications clearly, so that non (deeply) technical people should also understand the consequences of their actions in this.

    Most relevant overlaps with this change:

    docs/JSON-RPC-interface.md:L118-119:

    docs/JSON-RPC-interface.md:L144-163

    docs/init.md:L24

    This password does not have to be remembered or typed as it is mostly used as a fixed token that bitcoind and client programs read from the configuration file, however it is recommended that a strong and secure password be used as this password is security critical to securing the wallet should the wallet be enabled.

    If bitcoind is run with the “-server” flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication. The cookie is generated with random content when the daemon starts, and deleted when it exits. Read access to this file controls who can access it through RPC.

    By default the cookie is stored in the data directory, but its location can be overridden with the option -rpccookiefile. Default file permissions for the cookie are “owner” (i.e. user read/writeable) via default application-wide file umask of 0077, but these can be overridden with the -rpccookieperms option.

    This allows for running bitcoind without having to do any manual configuration.

    conf, pid, and wallet accept relative paths which are interpreted as relative to the data directory. wallet only supports relative paths.

    To generate an example configuration file that describes the configuration settings, see contrib/devtools/README.md.


crStiv DrahtBot janb84 davidgumberg glozow


davidgumberg glozow

Labels
Docs

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-05 06:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me