Add file security docs for running Zebra with elevated permissions

ZcashFoundation · Apr 13, 2023 · 1eecebe · 1eecebe
1 parent fbeb79a
commit 1eecebe
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/zebra-consensus/src/config.rs b/zebra-consensus/src/config.rs
@@ -4,6 +4,18 @@ use serde::{Deserialize, Serialize};
 
 /// Configuration for parallel semantic verification:
 /// <https://zebra.zfnd.org/dev/rfcs/0002-parallel-verification.html#definitions>
+///
+/// Automatically downloads the Zcash Sprout and Sapling parameters to the default directory:
+/// - Linux: `$HOME/.zcash-params`
+/// - macOS: `$HOME/Library/Application Support/ZcashParams`
+/// - Windows: `%APPDATA%\ZcashParams` or `C:\Users\%USERNAME%\AppData\ZcashParams`
+///
+/// # Security
+///
+/// If you are running Zebra with elevated permissions ("root"), create the
+/// parameters directory before running Zebra, and make sure the Zebra user
+/// account has exclusive access to that directory, and other users can't modify
+/// its parent directories.
 #[derive(Clone, Debug, Deserialize, Serialize)]
 #[serde(deny_unknown_fields, default)]
 pub struct Config {

diff --git a/zebra-state/src/config.rs b/zebra-state/src/config.rs
@@ -44,6 +44,13 @@ pub struct Config {
     /// | macOS   | `$HOME/Library/Caches/zebra`                    | `/Users/Alice/Library/Caches/zebra`  |
     /// | Windows | `{FOLDERID_LocalAppData}\zebra`                 | `C:\Users\Alice\AppData\Local\zebra` |
     /// | Other   | `std::env::current_dir()/cache/zebra`           | `/cache/zebra`                       |
+    ///
+    /// # Security
+    ///
+    /// If you are running Zebra with elevated permissions ("root"), create the
+    /// directory for this file before running Zebra, and make sure the Zebra user
+    /// account has exclusive access to that directory, and other users can't modify
+    /// its parent directories.
     pub cache_dir: PathBuf,
 
     /// Whether to use an ephemeral database.

diff --git a/zebrad/src/components/tracing.rs b/zebrad/src/components/tracing.rs
@@ -92,6 +92,13 @@ pub struct Config {
     /// The need to create two files means that we will slightly manipulate the
     /// path given to us to create the two representations.
     ///
+    /// # Security
+    ///
+    /// If you are running Zebra with elevated permissions ("root"), create the
+    /// directory for this file before running Zebra, and make sure the Zebra user
+    /// account has exclusive access to that directory, and other users can't modify
+    /// its parent directories.
+    ///
     /// # Example
     ///
     /// Given `flamegraph = "flamegraph"` we will generate a `flamegraph.svg` and