From 79e675444caf7b491b2c0d25277b046d3f6d8e04 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 22 May 2021 00:47:54 +0200 Subject: [PATCH] nixos/matrix-synapse: protect created files Enforce UMask on the systemd unit to restrict the permissions of files created. Especially the homeserver signing key should not be world readable, and media is served through synapse itself, so no other user needs access to these files. Use a prestart chmod to fixup the permissions on the signing key. --- nixos/modules/services/misc/matrix-synapse.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 290b5af1d60..dff58745304 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -699,12 +699,12 @@ in { ]; users.users.matrix-synapse = { - group = "matrix-synapse"; - home = cfg.dataDir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - uid = config.ids.uids.matrix-synapse; - }; + group = "matrix-synapse"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.matrix-synapse; + }; users.groups.matrix-synapse = { gid = config.ids.gids.matrix-synapse; @@ -726,6 +726,10 @@ in { User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key + chmod 0600 ${cfg.dataDir}/homeserver.signing.key + '')) ]; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -733,6 +737,7 @@ in { ''; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; + UMask = "0077"; }; }; };