lnd: fix mnemonic file access vulnerability

Previously, the file was readable by 'other' for a short time after
creation.
This commit is contained in:
Erik Arvstedt 2020-08-30 22:45:34 +02:00 committed by nixbitcoin
parent b97584f5cb
commit 6f032e3c40
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA

View File

@ -174,13 +174,12 @@ in {
mnemonic=${secretsDir}/lnd-seed-mnemonic mnemonic=${secretsDir}/lnd-seed-mnemonic
if [[ ! -f $mnemonic ]]; then if [[ ! -f $mnemonic ]]; then
echo Create lnd seed echo Create lnd seed
umask u=r,go=
${pkgs.curl}/bin/curl -s \ ${pkgs.curl}/bin/curl -s \
--cacert ${secretsDir}/lnd-cert \ --cacert ${secretsDir}/lnd-cert \
-X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" -X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi fi
chown lnd: "$mnemonic" chown lnd: "$mnemonic"
chmod 400 "$mnemonic"
''}" ''}"
"${let "${let
mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet"; mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";