Update file permissions (#2499)

## Issue Addressed Resolves #2438 Resolves #2437 ## Proposed Changes Changes the permissions for validator client http server api token file and secret key to 600 from 644. Also changes the permission for logfiles generated using the `--logfile` cli option to 600. Logs the path to the api token instead of the actual api token. Updates docs to reflect the change.
2026-03-02 16:21:42 +00:00 · 2021-09-03 02:41:10 +00:00
parent 50321c6671
commit 6f18f95893
7 changed files with 38 additions and 17 deletions
--- a/validator_client/src/http_api/api_secret.rs
+++ b/validator_client/src/http_api/api_secret.rs
@@ -1,9 +1,10 @@
 use eth2::lighthouse_vc::{PK_LEN, SECRET_PREFIX as PK_PREFIX};
+use filesystem::create_with_600_perms;
 use libsecp256k1::{Message, PublicKey, SecretKey};
 use rand::thread_rng;
 use ring::digest::{digest, SHA256};
 use std::fs;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use warp::Filter;

 /// The name of the file which stores the secret key.
@@ -37,6 +38,7 @@ pub const PK_FILENAME: &str = "api-token.txt";
 pub struct ApiSecret {
    pk: PublicKey,
    sk: SecretKey,
+    pk_path: PathBuf,
 }

 impl ApiSecret {
@@ -55,12 +57,20 @@ impl ApiSecret {
            let sk = SecretKey::random(&mut thread_rng());
            let pk = PublicKey::from_secret_key(&sk);

-            fs::write(
+            // Create and write the secret key to file with appropriate permissions
+            create_with_600_perms(
                &sk_path,
                eth2_serde_utils::hex::encode(&sk.serialize()).as_bytes(),
            )
-            .map_err(|e| e.to_string())?;
-            fs::write(
+            .map_err(|e| {
+                format!(
+                    "Unable to create file with permissions for {:?}: {:?}",
+                    sk_path, e
+                )
+            })?;
+
+            // Create and write the public key to file with appropriate permissions
+            create_with_600_perms(
                &pk_path,
                format!(
                    "{}{}",
@@ -69,7 +79,12 @@ impl ApiSecret {
                )
                .as_bytes(),
            )
-            .map_err(|e| e.to_string())?;
+            .map_err(|e| {
+                format!(
+                    "Unable to create file with permissions for {:?}: {:?}",
+                    pk_path, e
+                )
+            })?;
        }

        let sk = fs::read(&sk_path)
@@ -133,7 +148,7 @@ impl ApiSecret {
            ));
        }

-        Ok(Self { pk, sk })
+        Ok(Self { pk, sk, pk_path })
    }

    /// Returns the public key of `self` as a 0x-prefixed hex string.
@@ -146,6 +161,11 @@ impl ApiSecret {
        format!("{}{}", PK_PREFIX, self.pubkey_string())
    }

+    /// Returns the path for the API token file
+    pub fn api_token_path(&self) -> &PathBuf {
+        &self.pk_path
+    }
+
    /// Returns the value of the `Authorization` header which is used for verifying incoming HTTP
    /// requests.
    fn auth_header_value(&self) -> String {
--- a/validator_client/src/http_api/mod.rs
+++ b/validator_client/src/http_api/mod.rs
@@ -125,7 +125,7 @@ pub fn serve<T: 'static + SlotClock + Clone, E: EthSpec>(
    }

    let authorization_header_filter = ctx.api_secret.authorization_header_filter();
-    let api_token = ctx.api_secret.api_token();
+    let api_token_path = ctx.api_secret.api_token_path();
    let signer = ctx.api_secret.signer();
    let signer = warp::any().map(move || signer.clone());

@@ -505,7 +505,7 @@ pub fn serve<T: 'static + SlotClock + Clone, E: EthSpec>(
        log,
        "HTTP API started";
        "listen_address" => listening_socket.to_string(),
-        "api_token" => api_token,
+        "api_token_file" => ?api_token_path,
    );

    Ok((listening_socket, server))