lightningd/jsonrpc.c: Set JSON-RPC socket permissions by command line.

[ZmnSCPxj]

Fixes: #1366

Arguably also works for #3394. It is probably more sensible to set permissions via this patch and --rpc-file-mode, since this will work in a new install or if you place the RPC file in a tmpfs (which might make more sense as well, so that at startup the rpc file does not exist yet, so you can wait on the file existing to determine if you can now connect to it and the correct lightningd already is listening).

[ZmnSCPxj]

A comment: JSON, technically speaking, disallows encoding octal in the JSON stream, and the only numbers that can start with 0 are 0 and floating-point numbers that have only 0 before the . sign. Of course, traditionally we express file modes in octal, because tradition. So in listconfigs, the rpc-file-mode setting is a string that is the octal representation of the mode.

[cdecker]

The implementation looks good to me, however the reason I was reluctant to add a CLI flag was that it'd also get us to --rpc-file-owner and -rpc-file-group. Would it make sense to rather not recreate the socket file on each startup, keeping any manual changes in place? That'd be less unexpected than the file reverting any changes an operator might have done on the file, and free us from having to wire all possible file-related changes through lightningd options. It'd also match the systemd-way-of-doing-things, where a separate socket unit can pre-populate the socket file with the desired ACLs before starting the node.

Then again, I see the point of restoring a known good state on each startup, which is what I think @rustyrussell aimed to do by recreating every time. Just wanted to discuss this briefly before merging. What do you think @rustyrussell @ZmnSCPxj?

[ZmnSCPxj]

I intend to set up my own rpc-file in a tmpfs, for the same reason: a clean startup. As well, it allows me to determine if lightningd is ready to listen, by checking if the file exists (since it is in a tmpfs, at system boot the file does not exist yet, then when lightningd is ready to listen, it exists tthen).

Ownership and groupship are generally handled by running daemons in their own unique UID and GID, e.g. Tor is typically run in tor:tor or debian-tor:debian-tor and if you want to let particular users access the Tor control port you do CookieAuthFileGroupReadable 1 and add the tor/debian-tor group to the user ancillary group list. That is how I intend to set up lightningd myself.

[cdecker]

Ownership and groupship are generally handled by running daemons in their own unique UID and GID, e.g. Tor is typically run in tor:tor or debian-tor:debian-tor and if you want to let particular users access the Tor control port you do CookieAuthFileGroupReadable 1 and add the tor/debian-tor group to the user ancillary group list. That is how I intend to set up lightningd myself.

Sounds compelling. Would you suggest we change the file mask to allow groups then? It's something that several projects have bumped against, and I like your "add them to the lightningd group" proposal 👍

[cdecker]

ACK 5c28d1f

[ZmnSCPxj]

Would you suggest we change the file mask to allow groups then?

This command-line argument allows you to set this...? Just pass in 0660 instead of the default 0600. Or 0666 if you are insane and want to get your node funds stolen. In retrospect a --rpc-file-allow-group might have made better sense, since the only sensible settings are 0600 (no group) and 0660 (allow group).