Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass secret as file path for security #415

Open
V02460 opened this issue Apr 4, 2024 · 3 comments
Open

Pass secret as file path for security #415

V02460 opened this issue Apr 4, 2024 · 3 comments

Comments

@V02460
Copy link

V02460 commented Apr 4, 2024

The sliding sync proxy currently only takes its secret via the environment variable SYNCV3_SECRET. When used with systemd this is not considered secure:

Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data.

From https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Environment

Please change the sliding sync proxy to accept the path to a secret file.

@pcolladosoto
Copy link

Hi @V02460! I'd be more than happy to take a stab at this. I could have something working towards the end of the week: does that sound good?

@pcolladosoto
Copy link

This will hopefully be introduced on PR #446!

@Zelaf
Copy link

Zelaf commented Aug 10, 2024

For more people coming across this and wish to have more security, I've come up with a clever workaround!

I created a script I simply named run.sh:

#!/bin/sh

## Get environmental variables

# PostgreSQL authentication
psql_username=$(cat /config/secrets/postgresql_username)
psql_password=$(cat /config/secrets/postgresql_password)
export SYNCV3_DB="postgres://${psql_username}:${psql_password}@postgresql:5432/syncserver?sslmode=disable"

# Matrix sync proxy secret
export SYNCV3_SECRET=$(cat /config/secrets/.secret)

# Matrix sync proxy server name
export SYNCV3_SERVER="https://your.homeserver.here"

# Setting bind address
export SYNCV3_BINDADDR=":8009"

## Run sync server
env /usr/bin/syncv3

Then in the same directory I created a directory called secrets where I keep three files for the authentication.

sliding-sync/
|-- run.sh
|-- secrets/
|   |-- .secret
|   |-- postgresql_username
|   |-- postgresql_password

postgresql_username: Username of the PostgreSQL server
postgresql_password: Password for the user on the PostgreSQL server
.secret: The generated secret file.

Then for the docker compose I did:

  sliding_sync:
    image: ghcr.io/matrix-org/sliding-sync:latest
    ports:
      - 8009:8009
    volumes:
      - ./sliding-sync:/config
    entrypoint: sh -c /config/run.sh # Runs the script instead of the usual entrypoint of the docker image.

While this won't be as completely secure, it'll at least help a little.

Hopefully a proper implementation comes soon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants