From aded0528f0e1e3735ce8dd26fd9e546150b73187 Mon Sep 17 00:00:00 2001 From: setpill <37372069+setpill@users.noreply.github.com> Date: Tue, 6 Aug 2019 13:05:43 +0200 Subject: [PATCH 1/4] Improve clarity of systemd service file comments The phrasing seemed to indicate that the options specified in ExecStart= could not be specified in the config file, necessitating their inclusion in the service file. However, the options in the config file simply get overridden by any specified in ExecStart=. --- contrib/init/bitcoind.service | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service index cfc5f775800..79f07666fd6 100644 --- a/contrib/init/bitcoind.service +++ b/contrib/init/bitcoind.service @@ -5,8 +5,9 @@ # See "man systemd.service" for details. # Note that almost all daemon options could be specified in -# /etc/bitcoin/bitcoin.conf, except for those explicitly specified as arguments -# in ExecStart= +# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly +# specified as arguments in ExecStart= will override those in the +# config file. [Unit] Description=Bitcoin daemon From 639a416e3758b3005b860b198f0ec7bdd80a7f0c Mon Sep 17 00:00:00 2001 From: setpill <37372069+setpill@users.noreply.github.com> Date: Tue, 6 Aug 2019 14:21:34 +0200 Subject: [PATCH 2/4] Chgrp config dir to bitcoin in systemd service Rather than making the config dir world-readable, which potentially leaks RPC credentials, the group of the directory is changed to the one the service is executed as. --- contrib/init/bitcoind.service | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service index 79f07666fd6..5f9a6490972 100644 --- a/contrib/init/bitcoind.service +++ b/contrib/init/bitcoind.service @@ -19,6 +19,10 @@ ExecStart=/usr/bin/bitcoind -daemon \ -conf=/etc/bitcoin/bitcoin.conf \ -datadir=/var/lib/bitcoind +# Make sure the config directory is readable by the service user +PermissionsStartOnly=true +ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin + # Process management #################### From 870d4152dfc3d990e336723562948835c2dbd646 Mon Sep 17 00:00:00 2001 From: setpill <37372069+setpill@users.noreply.github.com> Date: Tue, 6 Aug 2019 14:34:07 +0200 Subject: [PATCH 3/4] Set ProtectHome in systemd service file Further hardening; the service should be run with as many restrictions as possible without breaking it. --- contrib/init/bitcoind.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service index 5f9a6490972..34c3e7b3ab9 100644 --- a/contrib/init/bitcoind.service +++ b/contrib/init/bitcoind.service @@ -58,6 +58,9 @@ PrivateTmp=true # Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full +# Deny access to /home, /root and /run/user +ProtectHome=true + # Disallow the process and all of its children to gain # new privileges through execve(). NoNewPrivileges=true From f3b57f4a1c17aadbf02d408e980490c88838c6ba Mon Sep 17 00:00:00 2001 From: setpill <37372069+setpill@users.noreply.github.com> Date: Tue, 6 Aug 2019 16:48:10 +0200 Subject: [PATCH 4/4] Unrecommend making config file owned by bitcoin The bitcoin user needs read access to the configuration file, but write access is not needed. It is not considered best practice to make configuration directories and files owned by the services reading them. --- doc/init.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/init.md b/doc/init.md index a6c9bb94d84..87e939c636d 100644 --- a/doc/init.md +++ b/doc/init.md @@ -59,11 +59,11 @@ Data directory: `/var/lib/bitcoind` PID file: `/var/run/bitcoind/bitcoind.pid` (OpenRC and Upstart) or `/run/bitcoind/bitcoind.pid` (systemd) Lock file: `/var/lock/subsys/bitcoind` (CentOS) -The configuration file, PID directory (if applicable) and data directory -should all be owned by the bitcoin user and group. It is advised for security -reasons to make the configuration file and data directory only readable by the -bitcoin user and group. Access to bitcoin-cli and other bitcoind rpc clients -can then be controlled by group membership. +The PID directory (if applicable) and data directory should both be owned by the +bitcoin user and group. It is advised for security reasons to make the +configuration file and data directory only readable by the bitcoin user and +group. Access to bitcoin-cli and other bitcoind rpc clients can then be +controlled by group membership. NOTE: When using the systemd .service file, the creation of the aforementioned directories and the setting of their permissions is automatically handled by