[arch-general] matrix-synapse "enhanced" security
Uwe Sauter
uwe.sauter.de at gmail.com
Thu Nov 18 23:00:09 UTC 2021
Hello Alexander, hello Patrick,
thanks for your suggestions, they seem to work.
@Alexander: Would you mind adding this customization to the wiki article about Matrix/Synapse [1]? There is already a
section regarding the read-only error but no work-around/solution yet.
Also, please accept my gratitude for your work maintaining the matrix-synapse package.
Thank you both,
Uwe
[1] https://wiki.archlinux.org/title/Matrix
Am 18.11.21 um 23:53 schrieb Alexander Epaneshnikov:
> On Thu, Nov 18, 2021 at 08:02:23PM +0100, Uwe Sauter via arch-general wrote:
>> Dear all,
>
> hello Uwe.
>
>> beginning with matrix-synapse 1.44.0-1 in early October a Systemd override
>> file (see below for reference) was included to the package that aims to
>> enhance the security of Synapse. Amongst other things it tells Systemd to
>> restrict access to certain directories that are seen as defaults.
>
> yep. I did this.
>
>> Unfortunately this enhancement broke my setup by neglecting that there are
>> various paths inside Synapse's configuration that can be customized, e.g.
>> media_store_path and uploads_path.
>> The error I see in my logs is:
>
> sorry for that.
>
>> It is also impossible to insert pictures into the chat. The client just
>> tells "unable to send message" but no log entry is created on the server.
>>
>> Did I miss any notification about this change?
>
> there are no notification about that. and I am sorry for that too.
>
>> Can anyone help me with customizing the Systemd override file so that
>> Synapse regains access to media_store_path and uploads_path?
>
> Certainly.
> you can edit the synapse.service unit with the systemctl edit command
> and write ReadWritePaths=/srv/matrix
> in the [Service] section
>
> you can read about systemd unit editing on the arch wiki[1] and consult
> systemd.exec man[2] for more information about unit restrictions.
>
>> Any help is appreciated.
>>
>>
>> Thank you,
>>
>> Uwe
>
> [1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
> [2]: https://man.archlinux.org/man/systemd.exec.5#SANDBOXING
>
> --
> Sincerely, Alexander | Trusted User
>
More information about the arch-general
mailing list