ElementsProject / lightning

Core Lightning — Lightning Network implementation focusing on spec compliance and performance
Other
2.84k stars 901 forks source link

Disable access to dangerous commands #3495

Closed ZmnSCPxj closed 4 years ago

ZmnSCPxj commented 4 years ago

Some commands are dangerous: we know for a fact that users have lost money by incorrect use of these commands:

Because of these, we should restrict access to these commands. In particular, these commands should only be accessible to plugins that provide safer interfaces (fundchannel, listpays) and the lower-level commands should be restricted.

My proposal is this:

ZmnSCPxj commented 4 years ago

Plugin libraries could add some additional field to their init wrappers / entrypoints to indicate that the plugin requires a specific restricted command, and will fail plugin startup if the command does not exist in unrestrictions. Further, they could internally wrap any command interface they have to look up unrestrictions for the mangled method names.

rustyrussell commented 4 years ago

I sympathize with this, but compatibility is also important. Making things harder to use is rarely a good idea.

I do wonder if there's a way to clearly demark all "you probably don't want to use this!" commands; we've used the dev- marker for clearly developer cases, but some of those have been marginal too (eg. dev-sendcustommsg especially).

Documentation is not sufficient for this, clearly.

Should we migrate all such commands use a raw- prefix? Or require a spurious dangerous=true argument? Or even danger- as a prefix?

ZmnSCPxj commented 4 years ago

If we are willing to settle for a prefix, then I would suggest adding : rather than - as separator, eg not-safe-to-use:listsendpays, if only because of its unusualness. But that still does not follow the principle that we should only provide an interface to users that would not cut them if they misuse it accidentally (this is the unsafePerformIO debate...)

We might still want to have multiple layers of interfaces to be used only at specific places, with a separate application layer that only accepts such simple (in interface) commands as pay, invoice, waitanyinvoice, listinvoices, delinvoice, listpays, paystatus, getinfo, listfunds, listpeers, newaddr, withdraw, fundchannel, autocleaninvoice, decodeinvoice (why is it decodepay and not decodeinvoice??).

cdecker commented 4 years ago

Just as another option we could adopt bitcoins modus operandi and just exclude commands we don't want users to use directly from the help output and add warnings in the manpages, so that the uninitiated user doesn't get tempted but they are still there.