On Thu, Nov 18, 2021 at 08:02:23PM +0100, Uwe Sauter via arch-general wrote:
Dear all,
hello Uwe.
beginning with matrix-synapse 1.44.0-1 in early October a Systemd override file (see below for reference) was included to the package that aims to enhance the security of Synapse. Amongst other things it tells Systemd to restrict access to certain directories that are seen as defaults.
yep. I did this.
Unfortunately this enhancement broke my setup by neglecting that there are various paths inside Synapse's configuration that can be customized, e.g. media_store_path and uploads_path. The error I see in my logs is:
sorry for that.
It is also impossible to insert pictures into the chat. The client just tells "unable to send message" but no log entry is created on the server.
Did I miss any notification about this change?
there are no notification about that. and I am sorry for that too.
Can anyone help me with customizing the Systemd override file so that Synapse regains access to media_store_path and uploads_path?
Certainly. you can edit the synapse.service unit with the systemctl edit command and write ReadWritePaths=/srv/matrix in the [Service] section you can read about systemd unit editing on the arch wiki[1] and consult systemd.exec man[2] for more information about unit restrictions.
Any help is appreciated.
Thank you,
Uwe
[1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units [2]: https://man.archlinux.org/man/systemd.exec.5#SANDBOXING -- Sincerely, Alexander | Trusted User