From 2a105edf044bc14b342e906ecfe12bc8a8b8074b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 4 Apr 2026 13:16:22 +0000 Subject: [PATCH] Update tech support protected paths: remove root/.lnd, sparrow, bisq; add /home Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c1303e8b-ff51-4951-b64c-2162d9e9a805 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com> --- app/sovran_systemsos_web/server.py | 7 ++----- docs/tech-support-security.md | 12 ++++-------- modules/core/tech-support.nix | 2 +- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py index 0dc3eed..f5b278f 100644 --- a/app/sovran_systemsos_web/server.py +++ b/app/sovran_systemsos_web/server.py @@ -80,13 +80,10 @@ WALLET_UNLOCK_DURATION_DEFAULT = 3600 # seconds (1 hour) # Wallet paths protected by default from the support user PROTECTED_WALLET_PATHS: list[str] = [ - "/var/lib/lnd", - "/root/.lnd", - "/var/lib/sparrow", - "/root/.sparrow", - "/root/.bisq", "/etc/nix-bitcoin-secrets", "/var/lib/bitcoind", + "/var/lib/lnd", + "/home", ] CATEGORY_ORDER = [ diff --git a/docs/tech-support-security.md b/docs/tech-support-security.md index fc81309..e0610a5 100644 --- a/docs/tech-support-security.md +++ b/docs/tech-support-security.md @@ -38,13 +38,10 @@ The following directories are locked by default when a support session starts: | Path | Contents | |------|----------| -| `/var/lib/lnd` | LND wallet and channel database | -| `/root/.lnd` | LND wallet (alternate location) | -| `/var/lib/sparrow` | Sparrow wallet data | -| `/root/.sparrow` | Sparrow wallet (alternate location) | -| `/root/.bisq` | Bisq wallet and keys | | `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets | | `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet | +| `/var/lib/lnd` | LND wallet and channel database | +| `/home` | User home directories | Paths are only locked if they exist on disk at the time the session starts. @@ -235,9 +232,8 @@ sed -i '/sovransystemsos-support/d' /root/.ssh/authorized_keys rm -f /var/lib/secrets/support-wallet-unlock # Re-apply wallet ACL protections -setfacl -R -m u:sovran-support:--- /var/lib/lnd /root/.lnd \ - /var/lib/sparrow /root/.sparrow /root/.bisq \ - /etc/nix-bitcoin-secrets /var/lib/bitcoind 2>/dev/null || true +setfacl -R -m u:sovran-support:--- /etc/nix-bitcoin-secrets \ + /var/lib/bitcoind /var/lib/lnd /home 2>/dev/null || true # Restart sshd to drop any active connections systemctl restart sshd diff --git a/modules/core/tech-support.nix b/modules/core/tech-support.nix index d276e6c..2a0fd5d 100644 --- a/modules/core/tech-support.nix +++ b/modules/core/tech-support.nix @@ -7,7 +7,7 @@ # # Security design: # • Support staff log in as `sovran-support`, not as root. -# • Wallet directories (LND, Sparrow, Bisq, …) are locked with POSIX ACLs +# • Protected directories (LND, bitcoind, nix-bitcoin-secrets, /home) are locked with POSIX ACLs # (u:sovran-support:---) by the Hub API as soon as a session is started. # • The Hub web UI lets the user grant time-limited access to wallet files # and view a full audit log of every session event.