[arch-general] matrix-synapse "enhanced" security

Alexander Epaneshnikov alex19ep at archlinux.org
Thu Nov 18 22:53:17 UTC 2021


On Thu, Nov 18, 2021 at 08:02:23PM +0100, Uwe Sauter via arch-general wrote:
> Dear all,

hello Uwe.

> beginning with matrix-synapse 1.44.0-1 in early October a Systemd override
> file (see below for reference) was included to the package that aims to
> enhance the security of Synapse. Amongst other things it tells Systemd to
> restrict access to certain directories that are seen as defaults.

yep. I did this.

> Unfortunately this enhancement broke my setup by neglecting that there are
> various paths inside Synapse's configuration that can be customized, e.g.
> media_store_path and uploads_path.
> The error I see in my logs is:

sorry for that.

> It is also impossible to insert pictures into the chat. The client just
> tells "unable to send message" but no log entry is created on the server.
>
> Did I miss any notification about this change?

there are no notification about that. and I am sorry for that too.

> Can anyone help me with customizing the Systemd override file so that
> Synapse regains access to media_store_path and uploads_path?

Certainly.
you can edit the synapse.service unit with the systemctl edit command
and write ReadWritePaths=/srv/matrix
in the [Service] section

you can read about systemd unit editing on the arch wiki[1] and consult
systemd.exec man[2] for more information about unit restrictions.

> Any help is appreciated.
>
>
> Thank you,
>
>   Uwe

[1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
[2]: https://man.archlinux.org/man/systemd.exec.5#SANDBOXING

--
Sincerely, Alexander | Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 6184 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20211119/07ee16f0/attachment.sig>


More information about the arch-general mailing list