I've been using Lightning Charge a fair bit, but I don't like that it has full control over the lightning node. It would be nice to have a way to limit RPC permissions, for instance just the ability to create and check the status of invoices.
One approach could be to have to multiple --rpc-file like arguments, each with their own set of permissions. The default RPC socket is owned by the user/group that launched the process, and permissions are set to 600. The additional RPC sockets should allowing specifying the group owner and set permission to 660. That way e.g. a system could have a group lightning_rpc_invoices whose users can use the RPC to create invoices.
Specifically this group should have access to: help, decodepay, getinfo, invoice, listinvoices, delinvoice (?), waitanyinvoice (?), waitinvoice, .
The above would go a long way. Some additional ideas:
individual RPC users can "own" invoices. With the example of Lightning Charge that would allow it to delete its own invoices, while not being able to mess with - or even see - invoices it doesn't own. That would suggest creating user (in stead of group) specific RPC interfaces, or moving to an authentication model more like what
bitcoinduses.a group that can manage channels, but not spend funds:
help,decodepay,getinfo,connect,listnodes,listpeers,disconnect,getroute,listchannels,fundchannel,close,newaddra group that can withdraw funds (on chain and off chain): same as channel manager, plus
sendpay,waitsendpay,pay,withdraw. Although that's a lot of permissions, at least it can't sabotage the node by physically reading the database from disk and broadcasting illegal states. It could be additionally constrained through an address (and destination node public key) whitelist.
Sjors
All 7 comments
Now it seems to me that, in true lightningd spirit of splitting things out to multiple daemons, we could implement this as a separate daemon, lightning_capabilityd. This would read a configuration file, which could be something like:
[*]
allow = help, getinfo, newaddr, decodepay
[/var/lightning-charge-rpc]
umask = 666
allow = invoice, listinvoices, delinvoice, waitanyinvoice, waitinvoice
[/var/lightning-cli-rpc]
allow = *
The capabilityd would read the configuration file, then set up the RPCs as specified, with each RPC having specified filtered methods. capabilityd would also filter the result of help so that only the RPCs allowed get help entries.
Then you would set up your tools (Lightning Charge, whatsoever) to use the specific RPCs.
ZmnSCPxj
on 1 Jun 2018
Please, let's not add yet another daemon. The capabilities enforcement is rather easy to implement (we have similar capabilities for hsmd already implemented), and I'd probably do a simple split into read-only and read-write RPC calls as an intermediate step.
cdecker
on 1 Jun 2018
You could, and should, write your own daemon to do this!
rustyrussell
on 24 Jun 2018
In that case having a "how to write your own RPC permission daemon for non-veteran kernel devs.md" would be useful :-)
Sjors
on 24 Jun 2018
Does the new plugin system make an RPC permission system easier? Is anyone working on that? For example it would be really nice if the user / group running Spark (cc @shesek) could be restricted to only paying and creating invoices, perhaps even with a spending limit per time window.
Sjors
on 23 Mar 2019
I'm currently playing with the idea of having a --plugin-runner command line argument that is prepended to the plugin execve call. This could allow the creation of a plugin firewall that can do arbitrary things with the plugins it controls (containerize them, run them as separate users, filter RPC commands, ...). Does that sounds like something that could be useful?
cdecker
on 25 Mar 2019
This could allow the creation of a plugin firewall that can do arbitrary things with the plugins it controls (containerize them, run them as separate users, filter RPC commands, ...). Does that sounds like something that could be useful?
Yes.
ZmnSCPxj
on 13 Jan 2020
Related issues
agilob
路
4Comments
SPIRY-RO
路
4Comments
billygarrison
路
3Comments
AndiMacTen
路
3Comments
willcl-ark
路
4Comments
Most helpful comment
In that case having a "how to write your own RPC permission daemon for non-veteran kernel devs.md" would be useful :-)