go-ethereum icon indicating copy to clipboard operation
go-ethereum copied to clipboard

Published 20 hours ago verified publisher icon ethereum

node: make generated jwt-secret ga+rw

Open holiman opened this issue 2 years ago • 2 comments

If geth generates a jwtsecret file, geth master makes it 0600, or -rw------ mode. This PR makes it into 0666, or -rw-rw-rw-. The reason is that a lot of setups uses different users for the EL and the CL, due to differing docker image setups. Geth dockerfile, IIRC, runs with least hassle as root, whereas other dockerfiles might be more "according to best practice", and uses a different user. Anyway, the idea is that anyone can read it, or modify it. As for the security implications: it makes geth a tad less 'secure' in a hostile multi-user scenarion, but I'd argue that a validator beacon-geth setup where hostile parties have access to the OS is already pretty much compromised.

holiman avatar Sep 09 '22 11:09 holiman

Only the security guy... could weaken the permissions of the key file 😄

fjl avatar Sep 12 '22 12:09 fjl

... well, can I ? :green_circle: or :red_circle: ?

holiman avatar Sep 13 '22 15:09 holiman

Triage discussion: people were against this. The geth docker container can run as any arbitrary user, the op can decide what user to run it as -- and that's who will be creating the file. It was considered a documentation issue rather than something we should change. Closing

:smiling_face_with_tear:

holiman avatar Sep 29 '22 08:09 holiman