Deterministic app passwords (#1110)

SECURITY.md

@@ -20,14 +20,6 @@ This is pretty much the industry standard when it comes to locally networked dev
 
 However, we think we can do better and have some interesting ideas on how to make Umbrel safe to run even when the local network is untrusted.
 
-**Hardcoded app passwords**
-
-We use hardcoded passwords for apps that support password authentication. These hardcoded passwords aren't providing any actual security, they are there to prevent "annoying sibling" level attackers.
-
-We plan to resolve this by implementing SSO authentication across all apps. We can implement this at the Umbrel level transparently without any modifications required from individual apps.
-
-This means all Umbrel apps exposing a web interface will be protected by your Umbrel dashboard password.
-
 **Relaxed Permissions**
 
 Currently we are being quite liberal with filesystem permissions and root usage. Some background jobs on the host are currently being run as root that don't strictly need to. Also some scripts executed by root are writable by non-root users. The `umbrel` user itself is also currently added to the `docker` group which makes it essentially root.

apps/code-server/docker-compose.yml

@@ -10,7 +10,7 @@ services:
     volumes:
       - ${APP_DATA_DIR}/data:/home/coder
     environment:
-      PASSWORD: "moneyprintergobrrr"
+      PASSWORD: $APP_PASSWORD
     networks:
       default:
         ipv4_address: $APP_CODE_SERVER_IP

apps/lightning-terminal/data/.lit/lit.conf

@@ -1 +0,0 @@
-uipassword=moneyprintergobrrr

apps/lightning-terminal/docker-compose.yml

@@ -13,7 +13,9 @@ services:
       - ${LND_DATA_DIR}:/lnd:ro
     environment:
       HOME: "/data"
+      APP_PASSWORD: "$APP_PASSWORD"
     command:
+        - --uipassword_env=APP_PASSWORD
         - --insecure-httplisten=0.0.0.0:$APP_LIGHTNING_TERMINAL_PORT
         - --network="$BITCOIN_NETWORK"
         - --lnd-mode="remote"

apps/nextcloud/docker-compose.yml

@@ -44,7 +44,7 @@ services:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - NEXTCLOUD_ADMIN_USER=umbrel
-      - NEXTCLOUD_ADMIN_PASSWORD=moneyprintergobrrr
+      - NEXTCLOUD_ADMIN_PASSWORD=${APP_PASSWORD}
       - NEXTCLOUD_TRUSTED_DOMAINS=${APP_DOMAIN}:${APP_NEXTCLOUD_PORT} ${APP_HIDDEN_SERVICE}
     depends_on:
       - db

apps/node-red/data/admin-credentials.json

@@ -1 +1 @@
-{"username":"umbrel","password":"$2a$08$qlczmePU/RzbHHBFrsefkONVqflomTis92iH.pdOVItq72W2G.bGu","permissions":"*"}
+{"username":"umbrel","# TODO:": "APP_PASSWORD","password":"$2a$08$qlczmePU/RzbHHBFrsefkONVqflomTis92iH.pdOVItq72W2G.bGu","permissions":"*"}

apps/photoprism/docker-compose.yml

@@ -12,7 +12,7 @@ services:
       - "${APP_DATA_DIR}/originals:/photoprism/originals"
       - "${APP_DATA_DIR}/storage:/photoprism/storage"
     environment:
-      PHOTOPRISM_ADMIN_PASSWORD: "moneyprintergobrrr"
+      PHOTOPRISM_ADMIN_PASSWORD: "${APP_PASSWORD}"
       PHOTOPRISM_ORIGINALS_LIMIT: 10000
       PHOTOPRISM_HTTP_COMPRESSION: "gzip"
       PHOTOPRISM_HTTP_PORT: "${APP_PHOTOPRISM_PORT}"

apps/pi-hole/docker-compose.yml

@@ -16,7 +16,7 @@ services:
       - ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d/
     environment:
       - VIRTUAL_HOST=${APP_DOMAIN}
-      - WEBPASSWORD=moneyprintergobrrr
+      - WEBPASSWORD=${APP_PASSWORD}
     networks:
       default:
         ipv4_address: $APP_PI_HOLE_IP

apps/registry.json

@@ -19,7 +19,7 @@
       ],
       "path": "",
       "defaultUsername": "umbrel",
-      "defaultPassword": "moneyprintergobrrr",
+      "deterministicPassword": true,
       "torOnly": false
     },
     {
@@ -42,7 +42,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr",
+        "deterministicPassword": true,
         "torOnly": false
     },
     {
@@ -65,7 +65,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr",
+        "deterministicPassword": true,
         "torOnly": false
     },
     {
@@ -138,7 +138,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr",
+        "deterministicPassword": true,
         "torOnly": false
     },
     {
@@ -400,7 +400,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr"
+        "deterministicPassword": true
     },
     {
         "id": "lightning-terminal",
@@ -425,7 +425,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr"
+        "deterministicPassword": true
     },
     {
         "id": "thunderhub",
@@ -449,7 +449,7 @@
         ],
         "path": "",
         "defaultUsername": "",
-        "defaultPassword": "moneyprintergobrrr"
+        "deterministicPassword": true
     },
     {
         "id": "lnbits",
@@ -547,7 +547,7 @@
         ],
         "path": "",
         "defaultUsername": "umbrel",
-        "defaultPassword": "moneyprintergobrrr"
+        "deterministicPassword": true
     },
     {
         "id": "krystal-bull",

apps/ride-the-lightning/docker-compose.yml

@@ -13,8 +13,10 @@ services:
       - ${APP_DATA_DIR}/loop:/loop
       - ${LND_DATA_DIR}:/lnd:ro
       - ${BITCOIN_DATA_DIR}:/bitcoin:ro
+    entrypoint: /data/entrypoint.sh
     environment:
         # App config
+        APP_PASSWORD: $APP_PASSWORD
         PORT: $APP_RIDE_THE_LIGHTNING_PORT
         RTL_CONFIG_PATH: "/data"
         CHANNEL_BACKUP_PATH: "/data/backup"

apps/ride-the-lightning/rtl/RTL-Config.json

@@ -1,5 +1,5 @@
 {
-  "multiPass": "moneyprintergobrrr",
+  "multiPass": "$APP_PASSWORD",
   "defaultNodeIndex": 1,
   "SSO": {
     "rtlSSO": 0,

apps/ride-the-lightning/rtl/entrypoint.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Migrate legacy default password
+sed -i 's/"multiPassHashed": "70c882380045d35807b45245bd49185991904ff47a5036dfe82103c49f9f0f31"/"multiPass": "'${APP_PASSWORD}'"/' $RTL_CONFIG_PATH/RTL-Config.json
+sed -i 's/"multiPass": "moneyprintergobrrr"/"multiPass": "'${APP_PASSWORD}'"/' $RTL_CONFIG_PATH/RTL-Config.json
+
+# Migrate new password placeholder
+sed -i 's/$APP_PASSWORD/'${APP_PASSWORD}'/' $RTL_CONFIG_PATH/RTL-Config.json
+
+exec /sbin/tini -g -- node rtl

apps/specter-desktop/docker-compose.yml

@@ -14,6 +14,7 @@ services:
       - --host=0.0.0.0
       - --specter-data-folder=/data
     environment:
+      # TODO: APP_PASSWORD
       BTC_RPC_USER: $BITCOIN_RPC_USER
       BTC_RPC_PASSWORD: $BITCOIN_RPC_PASS
       BTC_RPC_HOST: $BITCOIN_IP

apps/squeaknode/docker-compose.yml

@@ -33,7 +33,7 @@ services:
       # App specific environment variables
       SQUEAKNODE_WEBADMIN_ENABLED: "true"
       SQUEAKNODE_WEBADMIN_USERNAME: "umbrel"
-      SQUEAKNODE_WEBADMIN_PASSWORD: "moneyprintergobrrr"
+      SQUEAKNODE_WEBADMIN_PASSWORD: "${APP_PASSWORD}"
 
       SQUEAKNODE_NODE_NETWORK: "$BITCOIN_NETWORK"
       SQUEAKNODE_NODE_SQK_DIR_PATH: "/sqk"

apps/thunderhub/data/entrypoint.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+# Set password
+sed -i 's/masterPassword:.*/masterPassword: '${APP_PASSWORD}'/' /data/thubConfig.yaml
+
+exec npm start

apps/thunderhub/data/thubConfig.yaml

@@ -1,4 +1,4 @@
-masterPassword: 'moneyprintergobrrr'
+masterPassword: '$APP_PASSWORD'
 accounts:
   - name: 'Umbrel'
     serverUrl: '{YML_ENV_1}'

apps/thunderhub/docker-compose.yml

@@ -11,7 +11,9 @@ services:
     volumes:
       - ${LND_DATA_DIR}:/lnd:ro
       - ${APP_DATA_DIR}/data:/data
+    entrypoint: /data/entrypoint.sh
     environment:
+      APP_PASSWORD: "$APP_PASSWORD"
       NO_VERSION_CHECK: "true"
       LOG_LEVEL: "debug"
       ACCOUNT_CONFIG_PATH: "/data/thubConfig.yaml"

docker-compose.yml

@@ -98,7 +98,7 @@ services:
                         ipv4_address: $DASHBOARD_IP
         manager:
                 container_name: manager
-                image: getumbrel/manager:v0.2.14@sha256:331406ac0232285b729404dc28e6bccb89def6c7974baf640b3726dfb9704105
+                image: getumbrel/manager:v0.2.15@sha256:20faf263a721913e02ec3452924556352946d718747d239900f5720e57afb3fc
                 depends_on: [ tor ]
                 restart: on-failure
                 stop_grace_period: 5m30s

scripts/app

@@ -116,6 +116,7 @@ compose() {
   export APP_DOMAIN="${app_domain}"
   export APP_HIDDEN_SERVICE="$(cat "${app_hidden_servive_file}" 2>/dev/null || echo "notyetset.onion")"
   export APP_SEED=$(derive_entropy "${app_entropy_identifier}")
+  export APP_PASSWORD=$(derive_entropy "${app_entropy_identifier}-APP_PASSWORD")
 
   # App specific env vars
   # Note: Hardcoding app specific env vars is a short term solution. Long term

scripts/update/01-run.sh

@@ -218,6 +218,31 @@ if [[ -d "${samourai_app_dojo_tor_dir}" ]] && [[ ! -d "${samourai_app_new_dojo_t
   mv "${samourai_app_dojo_tor_dir}/" "${samourai_app_new_dojo_tor_dir}"
 fi
 
+# Handle updating entrypoint for ride-the-lightning app
+rtl_data_dir="${UMBREL_ROOT}/app-data/ride-the-lightning"
+rtl_data_entrypoint="${rtl_data_dir}/rtl/entrypoint.sh"
+rtl_app_entrypoint="${UMBREL_ROOT}/apps/ride-the-lightning/rtl/entrypoint.sh"
+if [[ -d "${rtl_data_dir}" ]]; then
+  echo "Found ride-the-lightning install, attempting to update entrypoint..."
+  cp "${rtl_app_entrypoint}" "${rtl_data_entrypoint}"
+fi
+
+# Handle updating entrypoint for thunderhub app
+thunderhub_data_dir="${UMBREL_ROOT}/app-data/thunderhub"
+thunderhub_data_entrypoint="${thunderhub_data_dir}/data/entrypoint.sh"
+thunderhub_app_entrypoint="${UMBREL_ROOT}/apps/thunderhub/data/entrypoint.sh"
+if [[ -d "${thunderhub_data_dir}" ]]; then
+  echo "Found thunderhub install, attempting to update entrypoint..."
+  cp "${thunderhub_app_entrypoint}" "${thunderhub_data_entrypoint}"
+fi
+
+# Handle stripping hardcoded password for lightning-terminal app
+lightning_terminal_conf="${UMBREL_ROOT}/app-data/lightning-terminal/data/.lit/lit.conf"
+if [[ -f "${lightning_terminal_conf}" ]]; then
+  echo "Found lightning-terminal install, attempting to strip hardcoded password..."
+  sed -i 's/uipassword=moneyprintergobrrr//' "${lightning_terminal_conf}"
+fi
+
 # Fix permissions
 echo "Fixing permissions"
 find "$UMBREL_ROOT" -path "$UMBREL_ROOT/app-data" -prune -o -exec chown 1000:1000 {} +