ProtoZIP : Restricting RPC calls

An idea while fiddling with code, thought I’d mention it here in case its useful.

Right now the user can access any RPC call for their zcashd node, either through zcash-cli or with anything else they run (ie: a script, third party code, etc).

LND uses macaroons that can restrict access to ‘read’, ‘write’ or ‘admin’, which gives a way to restrict access to commands that spend funds. Macaroons are hard to work with (or in other words, I haven’t figured out how to do that with perl - yet).

My suggestion is to add ‘disablefeature’ items to zcashd.conf, this would allow the user to set up their node as ‘read only’. By controlling access in this way no third party code would be affected as it could still use the RPC server.

There’s a precedent as user can already enable experimental features so the opposite of that would work nicely - root ownership & correct permissions on zcash.conf provide the rest.

This assumes the third-party code is not running as the same user that owns the wallet (access to keys etc) but that could be addressed by encrypting or locking the wallet.

The goal is only to allow a ‘different system user’ to use the RPC server in a controlled way.

1 Like

Related to New network alert modes · Issue #3325 · zcash/zcash · GitHub which also suggests gating RPC calls to make them read-only, in a different setting.

1 Like

I like this idea. It would be interesting to be able to deploy nodes that have been “specialized” for specific tasks. A node powering a block explorer doesn’t need to create transactions, multiple instances of a standalone wallet daemon might each only have access to a subset of keys/accounts, etc.

I’m not sure if macaroons are the right primitive for this (though I do love them) because they are sort of hard to work with. But, something! Even just a whilelisted mode might be desirable. I’ll make a note somewhere to consider doing this in zebra.


Maybe just a ‘readonly=1’ in the config will suffice.

I dont like macaroons, far too complicated & a barrier to tinkerers like me :slight_smile: