Suggested ‘rpcpassword’ should not be printed to debug.log #5094

issue maaku openend this issue on October 16, 2014
  1. maaku commented at 10:17 pm on October 16, 2014: contributor

    When starting with -server (or -daemon) and no rpcpassword option is set, the following text is printed to the console:

    0Error: To use the "-server" option, you must set a rpcpassword in the configuration file:
    1/home/user/.bitcoin/bitcoin.conf
    2It is recommended you use the following random password:
    3rpcuser=bitcoinrpc
    4rpcpassword=98FUPXSEJAc796o4c2kX8p8r1tsoNiWiiWFDBei83F8i
    5(you do not need to remember this password)
    6The username and password MUST NOT be the same.
    

    This is good. However the same text including the password is also printed to debug.log. That is a security risk as it is typically not expected that debug logs contain sensitive information. It would not be difficult to find bitcoin nodes which are exposing an RPC interface on the same IP address, despite warnings against this, and social engineer access to the debug.log and compromise the node.

  2. qubez commented at 9:30 am on October 18, 2014: none

    More info, after attempting to replicate, 0.9.3.

    Bitcoin-Qt does not write the error to debug.log, only bitcoind.

    I commented out rpcuser and rpcpassword in bitcoin.conf while leaving server=1. Received the error message via Bitcoin Qt dialog box but no error message was written to debug.log.

    It only displays the recommended password, not the actual password. It would take an unlikely chain of events for this to be exploited. The user would have to run bitcoind instead of the GUI to get the error added to the log, and then implement the recommended password. Then a user might be vulnerable after a “email me your debug.log and I’ll see if I can help” in conjunction with being tricked into opening up RPC with rpcallowip=*, and then the attacker also finding the IP of the victim. Otherwise using this would take local access where one could just steal wallet.dat.

  3. laanwj commented at 10:17 am on October 18, 2014: member

    Then a user might be vulnerable after a “email me your debug.log and I’ll see if I can help

    But that’s exactly what debug.log is for - troubleshooting. So there should be no overly sensitive information in it.

    It’s not a big looming security problem but IMO it makes sense to avoid the logging anyway (as implemented in #5095).

  4. laanwj closed this on Oct 20, 2014

  5. MarcoFalke locked this on Sep 8, 2021

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-22 12:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me