Title: Make .cookie file readable for bitcoin group Post by: RequestPrivacy on June 22, 2022, 01:32:52 PM Hey everyone,
happy to post my first question in THE bitcoin forum. Problem I just installed Bitcoin Core 22.0 on a Raspberry Pi4. As far as I understand it, the preferred authentication method for rpc calls should be via the .cookie file. Since I want to compartmentalize all software on the node I would have thought that the correct procedure is to create a dedicated group (say btcCookie) with read access to the .cookie file and then add the different users that need access to that group (I'm thinking of generic users like for an indexer). To create a dedicated group I changed the systemd bitcoin.service file to Code: [Service] This gave me indeed a dedicated group for the .cookie, bitcoind.pid and settings.json file. I'm not sure if it's a problem to have the pid and json file on the same group?! Code: bitcoin@debian:~/.bitcoin $ ll Anyways, now I need to get the .cookie file in a readable state for the btcCookie group like so: Code: bitcoin@debian:~/.bitcoin $ ll I've found someone with the same question https://www.reddit.com/r/Bitcoin/comments/9y1rtn/correct_way_to_use_cookie_auth_on_server/ (https://www.reddit.com/r/Bitcoin/comments/9y1rtn/correct_way_to_use_cookie_auth_on_server/) but I'm not sure if his process is advisable and his outcome isn't problematic (in the process he also made mempool.dat and peers.dat group readable). Another discussion re:permissions can be found here: https://bitcointalk.org/index.php?topic=5160894.0 (https://bitcointalk.org/index.php?topic=5160894.0) Questions 1. How can I make the .cookie file group readable? 2. Is it problematic to have either or all of the following as group readable (bitcoind.pid, settings.json, mempool.dat and peers.dat)? 3. How can I prevent them from becoming group readable if so? 4. If no1 isn't possible, how can I provide other users with read access to the .cookie file? Thank you and glad to be here! Cheers, RequestPrivacy Title: Re: Make .cookie file readable for bitcoin group Post by: LoyceV on June 22, 2022, 02:30:59 PM I'm not familiar with what you're asking, but if all you want is to give a user access to .cookie, why not just chgrp the file and hardlink it into their home directory?
Title: Re: Make .cookie file readable for bitcoin group Post by: RequestPrivacy on June 22, 2022, 03:21:25 PM Hey, thanks for the answer.
Not sure if I'm missing something or don't understand the magic behind hard-linking to the users home but with my limited knowledge I see following problems: As the .cookie file is always created anew on bitcoind start and removed once bitconid is stopped, I don't know if chgrp would set the group permanently for the file. I wouldn't expect it to, as it's always a new file with new content. That's also the reason why I went via the bitcoind.service route to set the group ownership. And even it it would preserve the group, how can the hard-linking to the other users home extend the file permission from a file it couldn't read in the first place? Title: Re: Make .cookie file readable for bitcoin group Post by: jackg on June 22, 2022, 03:34:28 PM Can you not just
Code: sudo chmod 640 .cookie If you're not used to doing things like this, it might be a reason not to and just run everything under admin until you actually need something more secure (eg have something people are likely to interact with). Title: Re: Make .cookie file readable for bitcoin group Post by: LoyceV on June 22, 2022, 03:54:32 PM As the .cookie file is always created anew on bitcoind start and removed once bitconid is stopped, I don't know if chgrp would set the group permanently for the file. I wouldn't expect it to, as it's always a new file with new content. Can't you just recreate the hardlink and change group permissions each time bitcoind starts?Quote how can the hard-linking to the other users home extend the file permission from a file it couldn't read in the first place? I was thinking something like this:Code: chgrp btcCookie .cookie Title: Re: Make .cookie file readable for bitcoin group Post by: RequestPrivacy on June 22, 2022, 04:35:49 PM Those are all valid manual ways but I want to have my node do do this automatically. I should have been more precise in communicating my final goal:
I want to set-up the node in such a way that - once it has a power failure and power comes back - everything auto-starts without me setting groups, links or permissions.
So I could write a script which looks for the .cookie file and once it is created by bitcoind changes group and permissions. systemctl would have to wait for this script to finish before bringing the indexer back up since its user needs the permissions to work properly. I just though there is an easier way provided by bitcoind itself, as I thought that's the whole point of the .cookie file. Title: Re: Make .cookie file readable for bitcoin group Post by: tadamichi on June 22, 2022, 08:29:22 PM Those are all valid manual ways but I want to have my node do do this automatically. I should have been more precise in communicating my final goal: This is possible and i have it set up that way. Theres actually an easy guide, that worked flawlessy for me, you might wanna look into it. You dont need a script btw.I want to set-up the node in such a way that - once it has a power failure and power comes back - everything auto-starts without me setting groups, links or permissions. https://raspibolt.org/guide/bitcoin/bitcoin-client.html#create-the-bitcoin-user Title: Re: Make .cookie file readable for bitcoin group Post by: vv181 on June 22, 2022, 10:58:59 PM So I could write a script which looks for the .cookie file and once it is created by bitcoind changes group and permissions. systemctl would have to wait for this script to finish before bringing the indexer back up since its user needs the permissions to work properly. I just though there is an easier way provided by bitcoind itself, as I thought that's the whole point of the .cookie file. Take note of the above reference. Especially the systemd config: https://raspibolt.org/guide/bitcoin/bitcoin-client.html#autostart-on-boot.What you need is the -startupnotify="chmod g+r /home/bitcoin/.bitcoin/.cookie" parameter. The startupnotify option is used to specify a command to execute when Bitcoin Core has finished with its startup sequence. (#15367) And I don't think you need a separate bitcoin group. You just need bitcoin:bitcoin, and only assign the .cookie file as group readable, with the above command. Title: Re: Make .cookie file readable for bitcoin group Post by: NotATether on June 23, 2022, 10:58:15 AM Place an ExecStartPost in the service section of the unit file pointing to a script (you can place it in /usr/local/bin), with the following contents:
Code: #!/bin/bash The ExecStartPost script runs immediately after the service is started (ie. bitcoind is started by systemd). Title: Re: Make .cookie file readable for bitcoin group Post by: RequestPrivacy on June 23, 2022, 08:50:49 PM Thank you all for the discussion and your suggestions. The solutions @tadamichi @vv181 and @NotATether provided are exactly the thing I was looking for.
One final thing about grouping And I don't think you need a separate bitcoin group. You just need bitcoin:bitcoin, and only assign the .cookie file as group readable, with the above command. If I go with bitcoin:bitcoin and add every user who needs access to the .cookie file to the bitcoin group there is the potential that I give them all access to all other files only by falsely setting a group permission of a file. With a dedicated bitcoin:btcCookie group for the .cookie file there is an additional layer of protection - since the other files would still be owned by bitcoin:bitcoin only. I would have to mess up group ownership AND file permissions. Maybe a bit overkill, I know but hey, why not ;) |