Update tech support protected paths: remove root/.lnd, sparrow, bisq; add /home

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c1303e8b-ff51-4951-b64c-2162d9e9a805 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-04 13:16:22 +00:00
parent 159238f4f8
commit 2a105edf04
3 changed files with 7 additions and 14 deletions
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -80,13 +80,10 @@ WALLET_UNLOCK_DURATION_DEFAULT = 3600  # seconds (1 hour)

 # Wallet paths protected by default from the support user
 PROTECTED_WALLET_PATHS: list[str] = [
-    "/var/lib/lnd",
-    "/root/.lnd",
-    "/var/lib/sparrow",
-    "/root/.sparrow",
-    "/root/.bisq",
    "/etc/nix-bitcoin-secrets",
    "/var/lib/bitcoind",
+    "/var/lib/lnd",
+    "/home",
 ]

 CATEGORY_ORDER = [
--- a/docs/tech-support-security.md
+++ b/docs/tech-support-security.md
@@ -38,13 +38,10 @@ The following directories are locked by default when a support session starts:

 | Path | Contents |
 |------|----------|
-| `/var/lib/lnd` | LND wallet and channel database |
-| `/root/.lnd` | LND wallet (alternate location) |
-| `/var/lib/sparrow` | Sparrow wallet data |
-| `/root/.sparrow` | Sparrow wallet (alternate location) |
-| `/root/.bisq` | Bisq wallet and keys |
 | `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets |
 | `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet |
+| `/var/lib/lnd` | LND wallet and channel database |
+| `/home` | User home directories |

 Paths are only locked if they exist on disk at the time the session starts.

@@ -235,9 +232,8 @@ sed -i '/sovransystemsos-support/d' /root/.ssh/authorized_keys
 rm -f /var/lib/secrets/support-wallet-unlock

 # Re-apply wallet ACL protections
-setfacl -R -m u:sovran-support:--- /var/lib/lnd /root/.lnd \
-  /var/lib/sparrow /root/.sparrow /root/.bisq \
-  /etc/nix-bitcoin-secrets /var/lib/bitcoind 2>/dev/null || true
+setfacl -R -m u:sovran-support:--- /etc/nix-bitcoin-secrets \
+  /var/lib/bitcoind /var/lib/lnd /home 2>/dev/null || true

 # Restart sshd to drop any active connections
 systemctl restart sshd
--- a/modules/core/tech-support.nix
+++ b/modules/core/tech-support.nix
@@ -7,7 +7,7 @@
 #
 # Security design:
 #   • Support staff log in as `sovran-support`, not as root.
-#   • Wallet directories (LND, Sparrow, Bisq, …) are locked with POSIX ACLs
+#   • Protected directories (LND, bitcoind, nix-bitcoin-secrets, /home) are locked with POSIX ACLs
 #     (u:sovran-support:---) by the Hub API as soon as a session is started.
 #   • The Hub web UI lets the user grant time-limited access to wallet files
 #     and view a full audit log of every session event.