Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Default Wallet Password Permissions Are Consistent #8444

Merged
merged 3 commits into from
Feb 15, 2021
Merged

Ensure Default Wallet Password Permissions Are Consistent #8444

merged 3 commits into from
Feb 15, 2021

Conversation

rauljordan
Copy link
Contributor

What type of PR is this?

Other

What does this PR do? Why is it needed?

Summarizing the issue found by a contributor:

If Prysm is started with --web and --write-wallet-password-on-web-onboarding it will store the wallet password in ~/.eth2validators/prysm-wallet-v2/walletpassword.txt after onboarding is completed, and this is later used to unlock the wallet when starting Prysm with the --web flag. File permissions are set correctly at file creation (0600), but Prysm will continue to start in the event that permissions are later adjusted to be readable by any user on the server.
Starting Prysm with --wallet-password-file and pointing to a wallet password file with incorrect file permissions also allows Prysm to start.
Given that this file contains sensitive data (cleartext version of the wallet password) it is advised to not allow Prysm to start if the file permissions are incorrectly set, similar to how SSH deals with private keys.

@rauljordan rauljordan requested a review from a team as a code owner February 12, 2021 21:38
@rauljordan rauljordan self-assigned this Feb 12, 2021
@rauljordan rauljordan added Ready For Review Security Security Related Issues labels Feb 12, 2021
@rauljordan rauljordan merged commit 7c3827a into develop Feb 15, 2021
@delete-merged-branch delete-merged-branch bot deleted the web-pass-vulnerability branch February 15, 2021 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terencechain terencechain terencechain approved these changes

@shayzluf shayzluf Awaiting requested review from shayzluf

@prestonvanloon prestonvanloon Awaiting requested review from prestonvanloon

@rkapka rkapka Awaiting requested review from rkapka

@farazdagi farazdagi Awaiting requested review from farazdagi

@nisdas nisdas Awaiting requested review from nisdas

Assignees

@rauljordan rauljordan

Labels
Security Security Related Issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rauljordan @terencechain