From ec4a4dbe4117857231e39524b792025968dd1fc9 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 15 Oct 2021 15:56:14 +0200 Subject: [PATCH] btcpayserver: fix whitelist security issue Whitelisting localhost implicitly whitelists all inbound onion connections. This prevents banning misbehaving inbound onion peers and enables message `mempool` which can cause privacy leaks. Instead, grant `download` as the single bitcoind whitelist permission, which should be safe for onion peers. Remove liquidd whitelisting because it doesn't support fine-grained permissions. After a cursory glance at the nbxplorer code I think that nbxplorer requires none of the other default whitelist permissions (noban, mempool, relay). Details: https://github.com/dgarage/NBXplorer/issues/344 --- modules/btcpayserver.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index cc959aa..4a95900 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -119,7 +119,7 @@ in { # Enable p2p connections listen = true; extraConfig = '' - whitelist=${nbLib.address cfg.nbxplorer.address} + whitelist=download@${nbLib.address cfg.nbxplorer.address} ''; }; services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; @@ -128,9 +128,6 @@ in { enable = true; # Enable p2p connections listen = true; - extraConfig = '' - whitelist=${nbLib.address cfg.nbxplorer.address} - ''; }; services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {