Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #44 from naturallaw777/copilot/update-tech-support-ssh-login-paths

Browse Source 
Simplify tech support protected paths: replace per-app dirs with /home
This commit is contained in:
Sovran_Systems
2026-04-04 08:17:14 -05:00
committed by GitHub
parent 868cdd9132 2a105edf04
commit b6be88d01f
3 changed files with 7 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/sovran_systemsos_web/server.py
View File

@@ -80,13 +80,10 @@ WALLET_UNLOCK_DURATION_DEFAULT = 3600 # seconds (1 hour)
# Wallet paths protected by default from the support user # Wallet paths protected by default from the support user
PROTECTED_WALLET_PATHS: list[str] = [ PROTECTED_WALLET_PATHS: list[str] = [
"/var/lib/lnd",
"/root/.lnd",
"/var/lib/sparrow",
"/root/.sparrow",
"/root/.bisq",
"/etc/nix-bitcoin-secrets", "/etc/nix-bitcoin-secrets",
"/var/lib/bitcoind", "/var/lib/bitcoind",
"/var/lib/lnd",
"/home",
] ]
CATEGORY_ORDER = [ CATEGORY_ORDER = [

12
docs/tech-support-security.md
View File

@@ -38,13 +38,10 @@ The following directories are locked by default when a support session starts:
| Path | Contents | | Path | Contents |
|------|----------| |------|----------|
| `/var/lib/lnd` | LND wallet and channel database |
| `/root/.lnd` | LND wallet (alternate location) |
| `/var/lib/sparrow` | Sparrow wallet data |
| `/root/.sparrow` | Sparrow wallet (alternate location) |
| `/root/.bisq` | Bisq wallet and keys |
| `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets | | `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets |
| `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet | | `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet |
| `/var/lib/lnd` | LND wallet and channel database |
| `/home` | User home directories |
Paths are only locked if they exist on disk at the time the session starts. Paths are only locked if they exist on disk at the time the session starts.
@@ -235,9 +232,8 @@ sed -i '/sovransystemsos-support/d' /root/.ssh/authorized_keys
rm -f /var/lib/secrets/support-wallet-unlock rm -f /var/lib/secrets/support-wallet-unlock
# Re-apply wallet ACL protections # Re-apply wallet ACL protections
setfacl -R -m u:sovran-support:--- /var/lib/lnd /root/.lnd \ setfacl -R -m u:sovran-support:--- /etc/nix-bitcoin-secrets \
/var/lib/sparrow /root/.sparrow /root/.bisq \ /var/lib/bitcoind /var/lib/lnd /home 2>/dev/null || true
/etc/nix-bitcoin-secrets /var/lib/bitcoind 2>/dev/null || true
# Restart sshd to drop any active connections # Restart sshd to drop any active connections
systemctl restart sshd systemctl restart sshd

2
modules/core/tech-support.nix
View File

@@ -7,7 +7,7 @@
# #
# Security design: # Security design:
# • Support staff log in as `sovran-support`, not as root. # • Support staff log in as `sovran-support`, not as root.
# • Wallet directories (LND, Sparrow, Bisq, …) are locked with POSIX ACLs # • Protected directories (LND, bitcoind, nix-bitcoin-secrets, /home) are locked with POSIX ACLs
# (u:sovran-support:---) by the Hub API as soon as a session is started. # (u:sovran-support:---) by the Hub API as soon as a session is started.
# • The Hub web UI lets the user grant time-limited access to wallet files # • The Hub web UI lets the user grant time-limited access to wallet files
# and view a full audit log of every session event. # and view a full audit log of every session event.