[Pkg-matrix-maintainers] Bug#1009083: matrix-synapse: ConfigurationDirectory permissions

Russell Coker russell at coker.com.au
Thu Apr 7 04:52:27 BST 2022 

Package: matrix-synapse
Version: 1.55.0-1~bpo11+1
Severity: normal

ConfigurationDirectory 'matrix-synapse' already exists but the mode is different. (File system: 700 ConfigurationDirectoryMode: 755)

After restarting Synapse I get the above in the output of systemctl status.

I think that the mode should be 700 or 750 (with the group of the directory set
to a matrix-synapse group not nogroup).  It shouldn't default to world
readable, and it shouldn't whinge when the directory isn't world readable.

Also files with secret data such as homeserver.yaml and homeserver.signing.key
shouldn't be world readable, they should be 600 or 640.

https://wiki.debian.org/SystemGroups

The above Wiki says:
nogroup (user: nobody): Daemons that need not own any files run as user nobody
and group nogroup. Thus, no files on a system should be owned by this user or
group.

Files with secret cryptographic data definitely shouldn't be owned by nogroup!

-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages matrix-synapse depends on:
ii  adduser                    3.118
ii  debconf [debconf-2.0]      1.5.77
ii  init-system-helpers        1.60
ii  libjs-jquery               3.5.1+dfsg+~3.5.5-7
ii  libpython3-stdlib          3.9.2-3
ii  lsb-base                   11.1.0
ii  python3                    3.9.2-3
ii  python3-attr               20.3.0-1
ii  python3-bcrypt             3.2.0-1~bpo11+1
ii  python3-bleach             3.2.1-2.1
ii  python3-canonicaljson      1.4.0-1
ii  python3-cryptography       3.3.2-1
ii  python3-distutils          3.9.2-1
ii  python3-frozendict         1.2-3~bpo11+1
ii  python3-idna               2.10-1
ii  python3-ijson              3.1.4-1
ii  python3-jinja2             3.0.3-1~bpo11+1
ii  python3-jsonschema         3.2.0-3
ii  python3-lxml               4.6.3+dfsg-0.1+deb11u1
ii  python3-matrix-common      1.1.0-1~bpo11+1
ii  python3-msgpack            1.0.0-6+b1
ii  python3-nacl               1.4.0-1+b1
ii  python3-netaddr            0.7.19-5
ii  python3-openssl            20.0.1-1
ii  python3-packaging          20.9-2
ii  python3-phonenumbers       8.12.1-1
ii  python3-pil                8.1.2+dfsg-0.3+deb11u1
ii  python3-prometheus-client  0.9.0-1
ii  python3-psycopg2           2.8.6-2
ii  python3-pyasn1             0.4.8-1
ii  python3-pyasn1-modules     0.2.1-1
ii  python3-pymacaroons        0.13.0-4
ii  python3-service-identity   18.1.0-6
ii  python3-signedjson         1.1.1-2
ii  python3-sortedcontainers   2.1.0-2
ii  python3-systemd            234-3+b4
ii  python3-treq               18.6.0-0.2
ii  python3-twisted            20.3.0-7
ii  python3-typing-extensions  3.10.0.2-1~bpo11+1
ii  python3-unpaddedbase64     1.1.0-5
ii  python3-yaml               5.3.1-5

Versions of packages matrix-synapse recommends:
pn  matrix-synapse-ldap3  <none>
pn  python3-pympler       <none>

Versions of packages matrix-synapse suggests:
pn  python3-authlib  <none>
ii  python3-jwt      1.7.1-2

-- Configuration Files:
/etc/matrix-synapse/homeserver.yaml changed [not included]

-- debconf information:
* matrix-synapse/server-name: coker.com.au
* matrix-synapse/report-stats: true

More information about the Pkg-matrix-maintainers mailing list