Pass secret as file path for security

[V02460]

The sliding sync proxy currently only takes its secret via the environment variable SYNCV3_SECRET. When used with systemd this is not considered secure:

Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data.

From https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Environment

Please change the sliding sync proxy to accept the path to a secret file.

[pcolladosoto]

Hi @V02460! I'd be more than happy to take a stab at this. I could have something working towards the end of the week: does that sound good?

[pcolladosoto]

This will hopefully be introduced on PR #446!

[Zelaf]

For more people coming across this and wish to have more security, I've come up with a clever workaround!

I created a script I simply named run.sh:

#!/bin/sh

## Get environmental variables

# PostgreSQL authentication
psql_username=$(cat /config/secrets/postgresql_username)
psql_password=$(cat /config/secrets/postgresql_password)
export SYNCV3_DB="postgres://${psql_username}:${psql_password}@postgresql:5432/syncserver?sslmode=disable"

# Matrix sync proxy secret
export SYNCV3_SECRET=$(cat /config/secrets/.secret)

# Matrix sync proxy server name
export SYNCV3_SERVER="https://your.homeserver.here"

# Setting bind address
export SYNCV3_BINDADDR=":8009"

## Run sync server
env /usr/bin/syncv3

Then in the same directory I created a directory called secrets where I keep three files for the authentication.

sliding-sync/
|-- run.sh
|-- secrets/
|   |-- .secret
|   |-- postgresql_username
|   |-- postgresql_password

postgresql_username: Username of the PostgreSQL server
postgresql_password: Password for the user on the PostgreSQL server
.secret: The generated secret file.

Then for the docker compose I did:

  sliding_sync:
    image: ghcr.io/matrix-org/sliding-sync:latest
    ports:
      - 8009:8009
    volumes:
      - ./sliding-sync:/config
    entrypoint: sh -c /config/run.sh # Runs the script instead of the usual entrypoint of the docker image.

While this won't be as completely secure, it'll at least help a little.

Hopefully a proper implementation comes soon!