Hello Alexander, hello Patrick,
thanks for your suggestions, they seem to work.
@Alexander: Would you mind adding this customization to the wiki article about Matrix/Synapse [1]? There is already a
section regarding the read-only error but no work-around/solution yet.
Also, please accept my gratitude for your work maintaining the matrix-synapse package.
Thank you both,
Uwe
[1] https://wiki.archlinux.org/title/Matrix
Am 18.11.21 um 23:53 schrieb Alexander Epaneshnikov:
On Thu, Nov 18, 2021 at 08:02:23PM +0100, Uwe Sauter via arch-general wrote:
Dear all,
hello Uwe.
beginning with matrix-synapse 1.44.0-1 in early October a Systemd override
file (see below for reference) was included to the package that aims to
enhance the security of Synapse. Amongst other things it tells Systemd to
restrict access to certain directories that are seen as defaults.
yep. I did this.
Unfortunately this enhancement broke my setup by neglecting that there are
various paths inside Synapse's configuration that can be customized, e.g.
media_store_path and uploads_path.
The error I see in my logs is:
sorry for that.
It is also impossible to insert pictures into the chat. The client just
tells "unable to send message" but no log entry is created on the server.
Did I miss any notification about this change?
there are no notification about that. and I am sorry for that too.
Can anyone help me with customizing the Systemd override file so that
Synapse regains access to media_store_path and uploads_path?
Certainly.
you can edit the synapse.service unit with the systemctl edit command
and write ReadWritePaths=/srv/matrix
in the [Service] section
you can read about systemd unit editing on the arch wiki[1] and consult
systemd.exec man[2] for more information about unit restrictions.
Any help is appreciated.
Thank you,
Uwe
[1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
[2]: https://man.archlinux.org/man/systemd.exec.5#SANDBOXING
--
Sincerely, Alexander | Trusted User
