Merge pull request #1465 from openoms/loop-security

Loop: enhanced privacy, security and update
2025-02-24 22:58:43 +01:00 · 2020-08-24 18:10:55 +02:00 · 2020-08-24 18:10:55 +02:00 · 24471983a2
commit 24471983a2
parent fcd3183894 e948e1470e
5 changed files with 114 additions and 20 deletions
--- a/build_sdcard.sh
+++ b/build_sdcard.sh
@ -443,6 +443,11 @@ echo "*** ADDING GROUPS FOR CREDENTIALS STORE ***"
 sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
 sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
 sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
+sudo /usr/sbin/groupadd --force --gid 9703 lndinvoices
+sudo /usr/sbin/groupadd --force --gid 9704 lndchainnotifier
+sudo /usr/sbin/groupadd --force --gid 9705 lndsigner
+sudo /usr/sbin/groupadd --force --gid 9706 lndwalletkit
+sudo /usr/sbin/groupadd --force --gid 9707 lndrouter

 echo ""
 echo "*** SWAP FILE ***"
--- a/home.admin/00settingsMenuServices.sh
+++ b/home.admin/00settingsMenuServices.sh
@ -66,6 +66,8 @@ if [ "${loop}" != "${choice}" ]; then
  errorOnInstall=$?
  if [ "${choice}" =  "on" ]; then
    if [ ${errorOnInstall} -eq 0 ]; then
+      # check macaroons and fix missing
+      /home/admin/config.scripts/lnd.credential.sh check
      sudo systemctl start loopd
      /home/admin/config.scripts/bonus.loop.sh menu
    else
--- a/home.admin/config.scripts/bonus.bos.sh
+++ b/home.admin/config.scripts/bonus.bos.sh
@ -54,7 +54,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
  # create symlink
  sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/bos/.lnd"
  
-  # make sure rtl is member of lndadmin
+  # add user to group with admin access to lnd
  sudo /usr/sbin/usermod --append --groups lndadmin bos
  
  # install bos
--- a/home.admin/config.scripts/bonus.loop.sh
+++ b/home.admin/config.scripts/bonus.loop.sh
@ -33,25 +33,58 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
  
  isInstalled=$(sudo ls /etc/systemd/system/loopd.service 2>/dev/null | grep -c 'loopd.service')
  if [ ${isInstalled} -eq 0 ]; then
+
+    # install Go
    /home/admin/config.scripts/bonus.go.sh on
    
    # get Go vars
    source /etc/profile

-    cd /home/bitcoin
-    sudo -u bitcoin git clone https://github.com/lightninglabs/loop.git
-    cd /home/bitcoin/loop
+    # create dedicated user
+    sudo adduser --disabled-password --gecos "" loop
+
+    # make sure symlink to central app-data directory exists ***"
+    sudo rm -rf /home/loop/.lnd  # not a symlink.. delete it silently
+    # create symlink
+    sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/loop/.lnd"
+
+    # sync all macaroons and unix groups for access
+    /home/admin/config.scripts/lnd.credentials.sh sync
+    # macaroons will be checked after install
+
+    # add user to group with admin access to lnd
+    sudo /usr/sbin/usermod --append --groups lndadmin loop
+    # add user to group with readonly access on lnd
+    sudo /usr/sbin/usermod --append --groups lndreadonly loop
+    # add user to group with invoice access on lnd
+    sudo /usr/sbin/usermod --append --groups lndinvoice loop
+    # add user to groups with all macaroons
+    sudo /usr/sbin/usermod --append --groups lndinvoices loop
+    sudo /usr/sbin/usermod --append --groups lndchainnotifier loop
+    sudo /usr/sbin/usermod --append --groups lndsigner loop
+    sudo /usr/sbin/usermod --append --groups lndwalletkit loop
+    sudo /usr/sbin/usermod --append --groups lndrouter loop
+
+    # install from source
+    cd /home/loop
+    sudo -u loop git clone https://github.com/lightninglabs/loop.git
+    cd /home/loop/loop
+
    # https://github.com/lightninglabs/loop/releases
-    source <(sudo -u admin /home/admin/config.scripts/lnd.update.sh info)
-    if [ ${lndInstalledVersionMain} -lt 10 ]; then
-      sudo -u bitcoin git reset --hard v0.5.1-beta
-    else
-      sudo -u bitcoin git reset --hard v0.6.5-beta
-    fi
-    cd /home/bitcoin/loop/cmd
+    sudo -u loop git reset --hard v0.8.0-beta
+    cd /home/loop/loop/cmd
    go install ./...
    
    # make systemd service
+
+    if [ "${runBehindTor}" = "on" ]; then
+      echo "Will connect to Loop server through Tor"
+      proxy="--server.proxy=127.0.0.1:9050"
+    else
+      echo "Will connect to Loop server through clearnet"
+      proxy=""
+    fi
+
    # sudo nano /etc/systemd/system/loopd.service 
    echo "
 [Unit]
@ -59,10 +92,10 @@ Description=Loopd Service
 After=lnd.service

 [Service]
-WorkingDirectory=/home/bitcoin/loop
-ExecStart=/usr/local/gocode/bin/loopd --network=${chain}net
-User=bitcoin
-Group=bitcoin
+WorkingDirectory=/home/loop/loop
+ExecStart=/usr/local/gocode/bin/loopd --network=${chain}net ${proxy}
+User=loop
+Group=loop
 Type=simple
 KillMode=process
 TimeoutSec=60
@ -102,10 +135,13 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
  isInstalled=$(sudo ls /etc/systemd/system/loopd.service 2>/dev/null | grep -c 'loopd.service')
  if [ ${isInstalled} -eq 1 ]; then
    echo "*** REMOVING LIGHTNING LOOP SERVICE ***"
+    # remove the systemd service
    sudo systemctl stop loopd
    sudo systemctl disable loopd
    sudo rm /etc/systemd/system/loopd.service
-    sudo rm -rf /home/bitcoin/loop
+    # delete user 
+    sudo userdel -rf loop
+    # delete Go packages
    sudo rm  /usr/local/gocode/bin/loop
    sudo rm  /usr/local/gocode/bin/loopd
    echo "OK, the Loop Service is removed."
--- a/home.admin/config.scripts/lnd.credentials.sh
+++ b/home.admin/config.scripts/lnd.credentials.sh
@ -3,7 +3,7 @@
 # command info
 if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
  echo "tool to reset or sync credentials (e.g. macaroons)"
-  echo "lnd.credentials.sh [reset|sync] [?tls|macaroons]"
+  echo "lnd.credentials.sh [reset|sync|check] [?tls|macaroons|keepold]"
  exit 1
 fi

@ -59,6 +59,23 @@ function copy_mac_set_perms() {
  sudo /bin/chmod --silent 640 /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
 }

+function check_macaroons() {
+macaroons="admin.macaroon invoice.macaroon readonly.macaroon invoices.macaroon chainnotifier.macaroon signer.macaroon  walletkit.macaroon router.macaroon"
+missing=0
+for macaroon in $macaroons
+do
+  local file_name=${macaroon}
+  local n=${1:-bitcoin} # the network (e.g. bitcoin or litecoin) defaults to bitcoin
+  local c=${2:-main}    # the chain (e.g. main, test, sim, reg) defaults to main (for mainnet)
+  if [ ! -f /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${macaroon}" ]; then
+    missing=$(($missing + 1))
+    echo "# ${macaroon} is missing ($missing)"
+  else
+    echo "# ${macaroon} is present"
+  fi
+done
+}
+
 ###########################
 # RESET Macaroons and TLS
 ###########################
@ -78,18 +95,28 @@ if [ "$1" = "reset" ]; then
    resetMacaroons=0
  fi
  if [ "$2" == "macaroons" ]; then
-    echo "# just resetting Macaroons"
+    echo "# just resetting macaroons"
    resetTLS=0
    resetMacaroons=1
+    keepOldMacaroons=0
  fi
-  
+  if [ "$2" == "keepold" ]; then
+    echo "# add the missing default macaroons without deauthenticating the old ones"
+    resetTLS=0
+    resetMacaroons=1
+    keepOldMacaroons=1
+  fi
+
+
  if [ ${resetMacaroons} -eq 1 ]; then
    echo "## Resetting Macaroons"
    echo "# all your macaroons get deleted and recreated"
    cd || exit
    sudo find /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
    sudo find /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
-    sudo rm /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/macaroons.db
+    if [ ${keepOldMacaroons} -eq 0 ]; then
+      sudo rm /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/macaroons.db
+    fi
  fi

  if [ ${resetTLS} -eq 1 ]; then
@ -126,10 +153,25 @@ elif [ "$1" = "sync" ]; then
  echo "# make sure LND app-data directories exist"
  sudo /bin/mkdir --mode 0755 --parents /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/

+  echo `# make sure all user groups exit for default macaroons`
+  sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
+  sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
+  sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
+  sudo /usr/sbin/groupadd --force --gid 9703 lndinvoices
+  sudo /usr/sbin/groupadd --force --gid 9704 lndchainnotifier
+  sudo /usr/sbin/groupadd --force --gid 9705 lndsigner
+  sudo /usr/sbin/groupadd --force --gid 9706 lndwalletkit
+  sudo /usr/sbin/groupadd --force --gid 9707 lndrouter
+
  echo "# copy macaroons to central app-data directory and ensure unix ownerships and permissions"
  copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
  copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
  copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
+  copy_mac_set_perms invoices.macaroon lndinvoices "${network}" "${chain}"
+  copy_mac_set_perms chainnotifier.macaroon lndchainnotifier "${network}" "${chain}"
+  copy_mac_set_perms signer.macaroon lndsigner "${network}" "${chain}"
+  copy_mac_set_perms walletkit.macaroon lndwalletkit "${network}" "${chain}"
+  copy_mac_set_perms router.macaroon lndrouter "${network}" "${chain}"

  echo "# make sure admin has a symlink at ~/.lnd to /mnt/hdd/app-data/lnd/"
  if ! [[ -L "/home/admin/.lnd" ]]; then
@ -167,6 +209,15 @@ elif [ "$1" = "sync" ]; then
    sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
  fi
  
+###########################
+# Check Macaroons and fix missing
+###########################
+elif [ "$1" = "check" ]; then
+  check_macaroons ${network} ${chain}
+  if [ $missing -gt 0 ]; then
+    /home/admin/config.scrips/lnd.creds.sh reset keepold
+  fi
+
 ###########################
 # UNKNOWN
 ###########################