Debian package: `homeserver.yaml` is world-readable

[lanerussell]

Description: Restrict permissions of homeserver.yaml and other sensitive files.

By default, it seems that homeserver.yaml has ownership of 644. Given that this file can contain the registration key, turn secret, or other sensitive info, I believe this file should not be readable by all system users.

In addition, the homeserver.signing.key has permissions of 644, also making it readable by all system users.

I would suggest restricting the visibility of this file only to the user who needs to be able to read it (matrix-synapse on Ubuntu).

note: This is the default behaviour I've observed when installing matrix-synapse on Ubuntu 18.04 via the repo at https://packages.matrix.org/debian/.

[richvdh]

related to #1528

[nodiscc]

This problem is still present 3 years later.

deploy@host224:~$ ls -ld /etc/matrix-synapse/
drwxr-xr-x 3 matrix-synapse matrix-synapse 4096 Jan 18 15:42 /etc/matrix-synapse/
deploy@host224:~$ ls -ld /etc/matrix-synapse/homeserver.yaml 
-rw-r--r-- 1 root root 4821 Dec 27 14:38 /etc/matrix-synapse/homeserver.yaml

Currently any process on the host can read the secrets contained in the configuration file (database password, registration shared secret, macaroon secret key...

Changing the file mode to something more restrictive (removing world read permissions) prevents synapse from starting.

I think fixing this should be a higher priority. This issue is labeled Z-Help-Wanted: We know exactly how to fix this issue, and would be grateful for any contribution, I could contribute a patch if someone could take the time to detail how to fix this (@richvdh ?)

[richvdh]

Changing the file mode to something more restrictive (removing world read permissions) prevents synapse from starting.

Obviously, you will need to change the ownership as well so that the matrix-synapse user can read the file.

Ownership and permissions can both be set via dpkg-statoverride in the postinst file; see https://github.com/matrix-org/synapse/blob/develop/debian/matrix-synapse-py3.postinst#L46-L50 for an existing example. See also https://www.debian.org/doc/debian-policy/ch-files.html#the-use-of-dpkg-statoverride.

By the way, you might consider fixing #2955 while you're in the area.

[nodiscc]

Proposed fix in #15337 (for /etc/matrix-synapse/homeserver.yaml permissions).

This issue also mentions homeserver.signing.key which I didn't fix, must be addressed by a separate pull request.