[CSM-25] Wallet secret key file mode

[dniku]

No description provided.

[mention-bot]

@Pastafarianist, thanks for your PR! By analyzing the history of the files in this pull request, we identified @gromakovsky, @neongreen and @flyingleafe to be potential reviewers.

[akegalj]

I wouldn't fail. Why don't we just have:

isFileMode600 :: (MonadIO m, MonadFail m) => FilePath -> m Bool

?

[akegalj]

if file mode isn't 600 we should:

1. Create a temporary file with the right permissions (under /tmp or something, I hope there is a library or a library function for that; I have no idea how to do this on Mac OS, for example)
2. Write the key into the file
3. Force-move the new file over the old one (like mv -f)

why are we failing at all?

[startling]

(/tmp works on OS X)

[startling]

Writing to a temporary file and then moving also makes this atomic (sometimes). Not sure whether that matters here, but it could make sense to always do that.

[akegalj]

@startling do you think it is ok to fail? This is our concern. For example user wants to run cardano-node with a key which is on disk, but it has wrong permissions. We can:

• fail and notify user that he should manually change permissions
• using steps described above ([CSM-25] Wallet secret key file mode #98 (comment)) just silently fix permissions

SSH fails in this situation. Should we do the same?

[startling]

is this the only place a key would be stored?

[dniku]

@startling I think so, but I'm not sure. We should ask someone who participated in designing this part. @flyingleafe?

UPD: @flyingleafe says that the *.key files in the cardano-sl directory are the only place where private keys are stored, not counting RAM during execution.

[startling]

I would tend towards exiting and having the user fix it, since this should never happen in normal operation?

[akegalj]

Yes. In normal operation we will create keys with the correct permissions. Ok, we will leave this as it is

@Pastafarianist ⏫

[vincenthz]

this is quite racy, for something that could be done as one operation; you can create the file (O_CREAT) and fail if it already exist (O_EXCL), and the mode are automatically set to be the right one with the 3rd parameters of open.

It's probably possible with unix already, but using the handle branch of foundation, you can do that with:

import Foundation.System.Bindings.Posix

withFilepath filepath $ \fp -> do
fd <- sysPosixOpen fp (sysPosix_O_WRONLY .|. sysPosix_O_CREAT .|. sysPosix_O_EXCL .|. sysPosix_O_NONBLOCK) (CMode 0o600)
...

[dniku]

@vincenthz Apparently, unix doesn't support O_CREAT. There is an open bug about that and a pull request which claims to fix it. It has not been merged in almost a year though. Seems like the library's authors don't have a lot of interest in it. We could fork it.

[startling]

This can race under certain circumstances.

• this code creates the file with mode 600
• Attacker (assuming there's write access to the directory) swaps it out with one that doesn't have the same permissions.
• this code finds it from the path and then writes to it, exposing secrets

I think this is marginal, since probably an attacker can't write to this directory. But it's much better to use the same file handle throughout.

[akegalj]

@startling I don't see where this:

Attacker (assuming there's write access to the directory) swaps it out with one that doesn't have the same permissions.

this code finds it from the path and then writes to it, exposing secrets

can happen. Can you point to the code?

[dniku]

@startling could you elaborate how this is a problem? writeRaw always ensures that the key is written with the correct permissions, so the secret should never be exposed.

[vincenthz]

If it's a shared directory (like /tmp without per-user tmp), then you defintely need to keep your fd after creation (specially relevant for tmp file). otherwise for a user directory, that is presumably not readable/writable by anyone else that probably doesn't matter much

[dniku]

@vincenthz AFAIU in the current implementation it's a user directory (for me, the *.key files are created in the root of the cloned cardano-sl repo).

[startling]

I see, I think I misunderstood.

[vincenthz]

you probably mean openBinaryTempFile, and openTempFile is actually using 0o666 as default mask + whatever the process umask is.

[dniku]

@vincenthz you're right about openBinaryTempFile, I'll fix that. Also, please see the docs for openTempFile:

The file is created with permissions such that only the current user can read/write it.

[neongreen]

It turned out that just #ifndef mingw32_HOST_OS is enough: https://ghc.haskell.org/trac/ghc/ticket/9945#comment:15

[dniku]

Fixed.

[neongreen]

We usually use Formatting for this (grep for sformat)

[neongreen]

It'd be nice if there was a comment saying what mode 600 corresponds to (afaik, “only owner can read and write”)

[dniku]

Fixed.

[neongreen]

Such things can be done with Formatting too, using e.g. the oct formatter

[dniku]

Fixed.

[neongreen]

So you want the file to be created even if BSL.hPut tempHandle $ encode u fails?

[dniku]

Uhh... I've fixed this to a more stable version, but the code has become significantly uglier, and I would welcome any suggestions on how to improve it.

[neongreen]

I can't say much about the actual content of this PR – it looks okay to me but keep in mind that I'm not a systems guy. I've requested some stylistic changes, though.

[vincenthz]

considering that it's use in a user directory, it seems fine.

[domenkozar]

Such redefinitions only introduce confusion in the code, are they really necessary?

[domenkozar]

Internal is not defined according to appveyor

[domenkozar]

@akegalj we are using -Werror now:

C:\projects\cardano-sl\srcPosUtilUserSecret.hs:31:1: warning: [-Wunused-imports]
        The import of `oct, sformat' from module `Formatting' is redundant
    
    <no location info>: error:

[akegalj]

@domenkozar right. I will remove warnings now