[arch-general] matrix-synapse "enhanced" security

Uwe Sauter uwe.sauter.de at gmail.com
Thu Nov 18 23:00:09 UTC 2021 

Hello Alexander, hello Patrick,

thanks for your suggestions, they seem to work.

@Alexander: Would you mind adding this customization to the wiki article about Matrix/Synapse [1]? There is already a 
section regarding the read-only error but no work-around/solution yet.
Also, please accept my gratitude for your work maintaining the matrix-synapse package.

Thank you both,

	Uwe


[1] https://wiki.archlinux.org/title/Matrix

Am 18.11.21 um 23:53 schrieb Alexander Epaneshnikov:
> On Thu, Nov 18, 2021 at 08:02:23PM +0100, Uwe Sauter via arch-general wrote:
>> Dear all,
> 
> hello Uwe.
> 
>> beginning with matrix-synapse 1.44.0-1 in early October a Systemd override
>> file (see below for reference) was included to the package that aims to
>> enhance the security of Synapse. Amongst other things it tells Systemd to
>> restrict access to certain directories that are seen as defaults.
> 
> yep. I did this.
> 
>> Unfortunately this enhancement broke my setup by neglecting that there are
>> various paths inside Synapse's configuration that can be customized, e.g.
>> media_store_path and uploads_path.
>> The error I see in my logs is:
> 
> sorry for that.
> 
>> It is also impossible to insert pictures into the chat. The client just
>> tells "unable to send message" but no log entry is created on the server.
>>
>> Did I miss any notification about this change?
> 
> there are no notification about that. and I am sorry for that too.
> 
>> Can anyone help me with customizing the Systemd override file so that
>> Synapse regains access to media_store_path and uploads_path?
> 
> Certainly.
> you can edit the synapse.service unit with the systemctl edit command
> and write ReadWritePaths=/srv/matrix
> in the [Service] section
> 
> you can read about systemd unit editing on the arch wiki[1] and consult
> systemd.exec man[2] for more information about unit restrictions.
> 
>> Any help is appreciated.
>>
>>
>> Thank you,
>>
>>    Uwe
> 
> [1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
> [2]: https://man.archlinux.org/man/systemd.exec.5#SANDBOXING
> 
> --
> Sincerely, Alexander | Trusted User
>

More information about the arch-general mailing list