Merge pull request #5457 from guggero/wallet-password-file-fallback

lnd+config+sample-lnd.conf: add wallet-unlock-allow-create flag
2021-07-01 18:04:38 -07:00 · 2021-07-01 18:04:38 -07:00 · 2a59c43d14
commit 2a59c43d14
parent 6d5ab035c5 6ca38bc815
3 changed files with 25 additions and 6 deletions
--- a/config.go
+++ b/config.go
@ -299,7 +299,8 @@ type Config struct {
 	NoNetBootstrap bool `long:"nobootstrap" description:"If true, then automatic network bootstrapping will not be attempted."`

 	NoSeedBackup             bool   `long:"noseedbackup" description:"If true, NO SEED WILL BE EXPOSED -- EVER, AND THE WALLET WILL BE ENCRYPTED USING THE DEFAULT PASSPHRASE. THIS FLAG IS ONLY FOR TESTING AND SHOULD NEVER BE USED ON MAINNET."`
-	WalletUnlockPasswordFile string `long:"wallet-unlock-password-file" description:"The full path to a file (or pipe/device) that contains the password for unlocking the wallet; if set, no unlocking through RPC is possible and lnd will exit if no wallet exists or the password is incorrect"`
+	WalletUnlockPasswordFile string `long:"wallet-unlock-password-file" description:"The full path to a file (or pipe/device) that contains the password for unlocking the wallet; if set, no unlocking through RPC is possible and lnd will exit if no wallet exists or the password is incorrect; if wallet-unlock-allow-create is also set then lnd will ignore this flag if no wallet exists and allow a wallet to be created through RPC."`
+	WalletUnlockAllowCreate  bool   `long:"wallet-unlock-allow-create" description:"Don't fail with an error if wallet-unlock-password-file is set but no wallet exists yet."`

 	ResetWalletTransactions bool `long:"reset-wallet-transactions" description:"Removes all transaction history from the on-chain wallet on startup, forcing a full chain rescan starting at the wallet's birthday. Implements the same functionality as btcwallet's dropwtxmgr command. Should be set to false after successful execution to avoid rescanning on every restart of lnd."`

@ -1347,6 +1348,11 @@ func ValidateConfig(cfg Config, usageMessage string,
 		return nil, fmt.Errorf("cannot set noseedbackup and " +
 			"wallet-unlock-password-file at the same time")

+	// The "allow-create" flag cannot be set without the auto unlock file.
+	case cfg.WalletUnlockAllowCreate && cfg.WalletUnlockPasswordFile == "":
+		return nil, fmt.Errorf("cannot set wallet-unlock-allow-create " +
+			"without wallet-unlock-password-file")
+
 	// If a password file was specified, we need it to exist.
 	case cfg.WalletUnlockPasswordFile != "" &&
 		!lnrpc.FileExists(cfg.WalletUnlockPasswordFile):
--- a/lnd.go
+++ b/lnd.go
@ -481,9 +481,14 @@ func Main(cfg *Config, lisCfg ListenerCfg, interceptor signal.Interceptor) error
 		interceptorChain.SetWalletLocked()
 	}

-	// If we've started in auto unlock mode, then a wallet _must_ already
-	// exist because we never want to enable the RPC unlocker in that case.
-	if cfg.WalletUnlockPasswordFile != "" && !walletExists {
+	// If we've started in auto unlock mode, then a wallet should already
+	// exist because we don't want to enable the RPC unlocker in that case
+	// for security reasons (an attacker could inject their seed since the
+	// RPC is unauthenticated). Only if the user explicitly wants to allow
+	// wallet creation we don't error out here.
+	if cfg.WalletUnlockPasswordFile != "" && !walletExists &&
+		!cfg.WalletUnlockAllowCreate {
+
 		return fmt.Errorf("wallet unlock password file was specified " +
 			"but wallet does not exist; initialize the wallet " +
 			"before using auto unlocking")
@ -498,7 +503,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, interceptor signal.Interceptor) error
 		// set above.

 	// A password for unlocking is provided in a file.
-	case cfg.WalletUnlockPasswordFile != "":
+	case cfg.WalletUnlockPasswordFile != "" && walletExists:
 		ltndLog.Infof("Attempting automatic wallet unlock with " +
 			"password provided in file")
 		pwBytes, err := ioutil.ReadFile(cfg.WalletUnlockPasswordFile)
--- a/sample-lnd.conf
+++ b/sample-lnd.conf
@ -260,9 +260,17 @@

 ; The full path to a file (or pipe/device) that contains the password for
 ; unlocking the wallet; if set, no unlocking through RPC is possible and lnd
-; will exit if no wallet exists or the password is incorrect
+; will exit if no wallet exists or the password is incorrect; if
+; wallet-unlock-allow-create is also set then lnd will ignore this flag if no
+; wallet exists and allow a wallet to be created through RPC.
 ; wallet-unlock-password-file=/tmp/example.password

+; Don't fail with an error if wallet-unlock-password-file is set but no wallet
+; exists yet. Not recommended for auto-provisioned or high-security systems
+; because the wallet creation RPC is unauthenticated and an attacker could
+; inject a seed while lnd is in that state.
+; wallet-unlock-allow-create=true
+
 ; Removes all transaction history from the on-chain wallet on startup, forcing a
 ; full chain rescan starting at the wallet's birthday. Implements the same
 ; functionality as btcwallet's dropwtxmgr command. Should be set to false after