[Bug]: Linux node daemon install inlines gateway token into user systemd unit

[coygeek]

Severity Assessment

CVSS Assessment

Metric	v3.1	v4.0
Score	7.8 / 10.0	8.5 / 10.0
Severity	High	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Calculator	CVSS v3.1 Calculator	CVSS v4.0 Calculator

Threat Model Alignment

Classification: security-specific

OpenClaw's gateway security guide states that shared-secret bearer credentials are full operator secrets for the gateway, and authorizeTokenAuth() treats a matching OPENCLAW_GATEWAY_TOKEN as successful token authentication. The Linux node-daemon install path persists that token inside the generated user systemd unit, so any same-host principal that can read the unit crosses the gateway.auth boundary without pairing or another gateway credential. SECURITY.md excludes exposed third-party or user-controlled credentials, but this token is OpenClaw's own gateway secret. The issue is therefore in scope as a credential-disclosure bug, even under the one-user model, because the documented mitigation for shared hosts is separate OS-user boundaries and this install path weakens that boundary when the unit inherits default read permissions.

Impact

On Linux, openclaw node install copies the caller's OPENCLAW_GATEWAY_TOKEN into the generated openclaw-node.service user unit as an inline Environment= entry. A same-host user or process that can read that unit recovers a bearer secret that OpenClaw accepts as full gateway operator authentication.

Affected Component

Files: openclaw/src/daemon/service-env.ts:421-449, openclaw/src/commands/node-daemon-install-helpers.ts:19-68, openclaw/src/cli/node-cli/daemon.ts:131-167, openclaw/src/daemon/systemd.ts:560-622, openclaw/src/daemon/systemd-unit.ts:20-35, openclaw/src/gateway/auth.ts:350-363

const gatewayToken = normalizeOptionalString(env.OPENCLAW_GATEWAY_TOKEN);
return {
  ...buildCommonServiceEnvironment(env, sharedEnv),
  OPENCLAW_GATEWAY_TOKEN: gatewayToken,
  OPENCLAW_ALLOW_INSECURE_PRIVATE_WS: allowInsecurePrivateWs,
  OPENCLAW_SYSTEMD_UNIT: resolveNodeSystemdServiceName(),
  OPENCLAW_SERVICE_KIND: NODE_SERVICE_KIND,
};

return entries.map(([key, value]) => {
  const rawValue = value ?? "";
  return `Environment=${systemdEscapeArg(`${key}=${rawValue.trim()}`)}`;
});

const unit = buildSystemdUnit({
  programArguments,
  workingDirectory,
  environment: environmentSansDotEnvEntries,
  environmentFiles: environmentFileResult.environmentFiles,
});
await fs.writeFile(unitPath, unit, "utf8");

if (!safeEqualSecret(params.connectToken, params.authToken)) {
  return { ok: false, reason: "token_mismatch" };
}
return { ok: true, method: "token" };

Technical Reproduction

1. On a Linux host with user systemd enabled, export a real gateway token into the shell that will run the installer: OPENCLAW_GATEWAY_TOKEN=<gateway-secret>.
2. Run openclaw node install --host 127.0.0.1 --port 18789. runNodeDaemonInstall() passes process.env to buildNodeInstallPlan(), which calls buildNodeServiceEnvironment() and returns an environment object containing OPENCLAW_GATEWAY_TOKEN.
3. resolveNodeService().install() forwards that environment into the shared systemd installer. writeSystemdUnit() keeps the node token in environmentSansDotEnvEntries, buildSystemdUnit() renders Environment=OPENCLAW_GATEWAY_TOKEN=<token>, and fs.writeFile(unitPath, unit, "utf8") writes the resulting unit to ~/.config/systemd/user/openclaw-node.service without an explicit restrictive mode.
4. From another same-host account or process that can read the target user's systemd unit path, read ~/.config/systemd/user/openclaw-node.service and extract the inline token.
5. Present that token to any gateway HTTP or WebSocket client. authorizeTokenAuth() compares it with the configured gateway token and returns { ok: true, method: "token" }, granting operator access.

Demonstrated Impact

The vulnerable path is specific to the Linux node-daemon installer. buildNodeServiceEnvironment() always copies OPENCLAW_GATEWAY_TOKEN into the generated service environment, buildNodeInstallPlan() returns only environment (not environmentValueSources), and runNodeDaemonInstall() passes that inline environment directly into service.install(). In the shared systemd writer, writeSystemdGatewayEnvironmentFile() only emits a protected 0600 env file for values sourced from the state-dir dotenv or an existing environment file; the node token never enters that path, so environmentFileResult.environmentFiles stays empty for the token and buildSystemdUnit() serializes it inline as Environment=OPENCLAW_GATEWAY_TOKEN=.... The resulting user unit is written with fs.writeFile(unitPath, unit, "utf8") and no follow-up chmod, so visibility falls back to the caller's directory and umask defaults instead of an owner-only policy. A reader that extracts the token bypasses pairing and any narrower device identity checks because the gateway auth layer accepts the shared bearer token as full operator access.

The same claim does not hold for the current macOS launchd path. prepareLaunchAgentProgramArguments() writes launchd environment values to ~/.openclaw/service-env/<label>.env with mode 0600, stores the wrapper script with mode 0700, and rewrites the plist to reference that wrapper instead of embedding the token inline. The verified remaining exposure is therefore the Linux user-systemd node install flow.

Environment

Verified against OpenClaw release v2026.5.4 (published 2026-05-05T08:24:01Z) and current upstream source commit 7188e4f4ad87a51a11d3dc3c7909fd79ea01d6e9 on the Linux node-daemon install path: openclaw/src/cli/node-cli/daemon.ts → openclaw/src/commands/node-daemon-install-helpers.ts → openclaw/src/daemon/service-env.ts → openclaw/src/daemon/systemd.ts / openclaw/src/daemon/systemd-unit.ts → openclaw/src/gateway/auth.ts. Scope was calibrated against the macOS launchd implementation in openclaw/src/daemon/launchd.ts, which already moves service environment variables into owner-only files.

Remediation Advice

Handle node-daemon gateway credentials with the same owner-only secret-file pattern already used by the launchd installer and by the Linux gateway installer for file-backed environment values. Carry environmentValueSources through the node install plan, mark OPENCLAW_GATEWAY_TOKEN as a managed secret that must not remain inline in the unit, and enforce owner-only permissions for any service artifact that still needs to reference credential material.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main and the latest shipped release still let the Linux node daemon gateway token flow into inline systemd Environment= rendering, and the linked closing PR is open rather than merged.

Reproducibility: yes. for a high-confidence source reproduction: current main copies the node gateway token into service env, does not carry source metadata through the node install plan, and renders unmarked systemd env inline. I did not run a live Linux user-systemd install during this read-only review.

Next step
No separate repair lane: an open linked PR already targets this security fix, and the remaining action is maintainer security review plus real Linux systemd proof.

Security
Needs attention: This issue reports a concrete OpenClaw-owned gateway credential exposure in the Linux node systemd install path.

Review details

Best possible solution:

Review and land #78044, or an equivalent narrow fix, once redacted Linux user-systemd proof shows the token only in an owner-only env file and stale inline unit or backup copies sanitized.

Do we have a high-confidence way to reproduce the issue?

Yes for a high-confidence source reproduction: current main copies the node gateway token into service env, does not carry source metadata through the node install plan, and renders unmarked systemd env inline. I did not run a live Linux user-systemd install during this read-only review.

Is this the best way to solve the issue?

Yes: reusing the existing environmentValueSources contract and 0600 systemd env-file path is the narrow maintainable fix. The issue should stay open until the linked PR or equivalent fix merges with real Linux proof.

Security concerns:

• [high] Keep gateway token out of node systemd units — src/daemon/service-env.ts:447
  The current node daemon install path can still pass OPENCLAW_GATEWAY_TOKEN as ordinary service environment, allowing systemd rendering to emit it as an inline Environment= value for a full operator bearer secret.
  Confidence: 0.93

What I checked:

• Current main checked: The checkout is on current main at f1c8570. (f1c8570e0c8d)
• Node service env still carries the token: buildNodeServiceEnvironment() reads env.OPENCLAW_GATEWAY_TOKEN and returns it as OPENCLAW_GATEWAY_TOKEN for node services. (src/daemon/service-env.ts:443, f1c8570e0c8d)
• Node install plan lacks source metadata: NodeInstallPlan contains only environment, and buildNodeInstallPlan() returns no environmentValueSources, so the node token is not marked as file-backed. (src/commands/node-daemon-install-helpers.ts:12, f1c8570e0c8d)
• Node CLI passes only inline environment: runNodeDaemonInstall() destructures environment from the plan and passes it to service.install() without environment source metadata. (src/cli/node-cli/daemon.ts:139, f1c8570e0c8d)
• Systemd writer leaves unmanaged values inline: writeSystemdUnit() only removes values that are backed by the generated env file; unmarked node token values remain in environmentSansDotEnvEntries and are passed to buildSystemdUnit(). (src/daemon/systemd.ts:594, f1c8570e0c8d)
• Systemd renderer emits inline Environment lines: renderEnvLines() serializes remaining environment entries as Environment=<key>=<value>, matching the reported exposure. (src/daemon/systemd-unit.ts:20, f1c8570e0c8d)

Likely related people:

• liuxiaopai-ai: Authored the merged node service-env change that added OPENCLAW_GATEWAY_TOKEN persistence for node installs. (role: introduced behavior; confidence: high; commits: f1354869bd73; files: src/daemon/service-env.ts, src/daemon/service-env.test.ts)
• steipete: Introduced the node daemon install surface touched by this issue and is tied to repository ownership context for this area. (role: feature introducer and adjacent owner; confidence: high; commits: ae0b4c49903d; files: src/commands/node-daemon-install-helpers.ts, src/cli/node-cli/daemon.ts, src/daemon/node-service.ts)
• hclsys: Recent systemd env-file preservation work is the contract the token fix should extend. (role: adjacent systemd env-file contributor; confidence: high; commits: f8f881f63fab; files: src/daemon/systemd.ts, src/daemon/systemd.test.ts, src/daemon/service-managed-env.ts)
• tmimmanuel: Authored earlier systemd hardening that moved dotenv-backed secrets out of inline unit rendering. (role: prior related hardening contributor; confidence: medium; commits: a2ab9e6a8e4c; files: src/daemon/systemd.ts, src/daemon/systemd-unit.ts, src/daemon/systemd.test.ts)

Remaining risk / open question:

• I did not run a live Linux user-systemd install in this read-only pass; the reproduction is source-level plus a user confirmation against v2026.5.12.
• The linked PR still needs real Linux systemd after-fix proof before this issue should close.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f1c8570e0c8d.

[sapopo93]

Confirmed on a 2026.5.12 Linux user-service install. Local mitigation applied by moving OPENCLAW_GATEWAY_TOKEN out of openclaw-gateway.service into a mode-600 EnvironmentFile at ~/.openclaw/secrets/openclaw-gateway.env, then updating local watchdog validation/recovery scripts so token reconciliation reads/writes that env file and refuses a unit with an embedded OPENCLAW_GATEWAY_TOKEN. This avoids the next token rotation reintroducing the unit inline-secret and watchdog restart-loop failure mode.