Package Details: cryptpad 5.0.0-1

Git Clone URL: https://aur.archlinux.org/cryptpad.git (read-only, click to copy)
Package Base: cryptpad
Description: Realtime collaborative visual editor with zero knowlege server
Upstream URL: https://github.com/xwiki-labs/cryptpad
Keywords: collaborative
Licenses: AGPL3
Submitter: anonfunc
Maintainer: buzo
Last Packager: buzo
Votes: 7
Popularity: 0.91
First Submitted: 2019-06-08 16:40 (UTC)
Last Updated: 2022-06-07 19:03 (UTC)

Latest Comments

RoKoInfo commented on 2021-09-11 08:48 (UTC)

@buzo @ChrisTX I see the cryptpad:http combinations for e.g. blob, however, the combination cryptpad:cryptpad and 0750 still does not allow read access for nginx for e.g. blob, so login is still prohibited in the current situation. At least on my machine, so please recheck. Thanks.

RoKoInfo commented on 2021-07-22 18:54 (UTC)

@buzo @ChrisTX This approach only works for me, if /var/lib/cryptpad is world readable. Otherwise I can not log in, aka I receive a "Permission denied" from nginx, when trying to read a block. Please check from your side.

buzo commented on 2021-07-09 10:43 (UTC)

Thanks ChrisTX – I've adjusted the permissions in the package as suggested.

RoKoInfo commented on 2021-07-01 19:11 (UTC)

Sorry, misleading description: groups http = http cryptpad and groups cryptpad = cryptpad. Gives http the theoretical access to some unneeded folders, but it is very simple. I do not think that this is a security issue, however, as soon as it is implemented in the package, I would follow the approach of choice there.

ChrisTX commented on 2021-06-29 20:16 (UTC)

No, I mean, cryptpad shouldn't be part of http. That will allow it to read all files available to the web services, a permission which it doesn't need to have. Disregarding POSIX ACLs, the only 'proper' way of doing this is changing ownership to cryptpad:http and then setting the setgid bit on each of the subfolders nginx needs to access. I've done that right now in my own setup, but the package should do that.

RoKoInfo commented on 2021-06-29 19:55 (UTC)

@ChrisTX Yes, you are right. I replaced again the LTS version with nodejs, and it seems to work. It is the read access of http to the folders you mention. Currently, I added http to the group cryptpad, which then allows for it, and which I think is not part of the PKGBUILD right now, right?

ChrisTX commented on 2021-06-29 12:27 (UTC)

@RoKoInfo No you're not wrong. The way cryptpad handles /blob and /block is by using try_files with nginx - so the server needs to be able to access those folders. Cryptpad should run fine with nodejs, and not require the LTS variant.

This is a bit of a mess, but the only reasonable solution I can see is to make the blob, block and datastore (that's for debugging purposes only tho) readable by nginx, i.e. http. Additionally, this will need the setgid bit on the folder. It's not necessary to make data or logs readable by nginx, they'll only be accessed by the nodejs service.

There's no real beautiful solution for cryptpad overall, as the app is supposed to be run in its source folder, and not really the way you'd package it.

RoKoInfo commented on 2021-06-20 10:32 (UTC)

Ok, I caught the trick: Use nodejs-lts-erbium instead of nodejs. So forget about the comments below.

RoKoInfo commented on 2021-06-05 12:57 (UTC)

If I change the directory rights of /var/lib/cryptpad to 770 and extend the service with UMask=0007, the error message changes to Can't remove login block, which seems to be again a 404 issue. The file is there, and the user http can delete it.

General question: Does it make sense to access /var/lib/cryptpad as http (nginx) instead of cryptpad (node)?

RoKoInfo commented on 2021-06-05 10:47 (UTC) (edited on 2021-06-05 10:48 (UTC) by RoKoInfo)

Unfortunately, I can not make this work. @buzo @ChrisTX Is this operational on your machines?

If I do a /checkup/, I get the message »Unable to create, retrieve, or remove encrypted credentials from the server.«, and a Can't read login block in the console, which seems to be reasonable to me, since the folder /var/lib/cryptpad is not accessible for nginx.

If I try a /login/, I get a 404 for the same reason, since nginx tries to access a URL .../block/... (although, however, the requested file is there).

How to fix this and leave the security measures (which I am not understanding fully) of Arch in place? Thank you in advance.

qawsedrftgzh commented on 2021-05-13 15:56 (UTC)

Uhmm... I'm quite unfamiliar with webapps, but i think I really need to try this out, because this is a thing i have long searched for (good self hosted, online office). But when I have intalled the package, how do I run it. I am a noob, btw.

buzo commented on 2021-04-05 19:26 (UTC)

Many thanks for your detailed explanation and patch, ChrisTX! (I noticed it a bit late though.)

I have just applied your patch as-is and will test myself later when I have the time.

ChrisTX commented on 2021-04-05 03:59 (UTC) (edited on 2021-04-05 04:00 (UTC) by ChrisTX)

Thanks a lot for the hard work, buzo. I've tried your latest build, and noticed the following issues now:

  • The node_modules folder isn't populated as intended, so it doesn't start up once again. This is because --prefix only really works with -g, see the npm docs here. To explain, with --prefix or -g and a local path (and just executing it without any further parameter is like executing it with path ./), npm creates a symlink to a global directory with the binaries populated (cryptpad has none set). The model of installing as we want it to work only works if you use npm install -g against a .tgz created by npm pack. It's possible to use the tar file that way, but the resulting directory structure is a gigantic mess and it's only really reasonable for applications that have a populated binary array. I believe having the build step and then copying over the needed files is less messy than trying to do that since cryptpad is not designed for that installation model.
  • The .service file needs updating to the new (correct) path in /webapps (thanks by the way, I on the other hand was not aware of the Web App packaging guidelines! :D ) It also lacks any sort of hardening.
  • The permissions on the $pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs} folders differ from the package towards the tmpfiles.d values, 755 vs 750, so it complains upon installation. I'm not sure if it's "cleaner" to use tmpfiles to create the files, or this way, but relying on tmpfiles makes namcap complain, so it's probably fine.

In total, the patch below is what I've come up with, including hardening. I'm also running an instance of cryptpad myself with this package, and I can confirm with those it works fine using a minimally adjusted nginx configuration. As an added extra, it would be conceivable correcting the path to cryptpad in the example file installed as documentation (this line here).

iff --git a/PKGBUILD b/PKGBUILD
index 48b85aa..40eec9d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,32 +17,37 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
         "cryptpad.sysusers"
         "cryptpad.tmpfiles")
 sha256sums=('7d4d3652e911b5f78439c7b2deea48ad0df179a633dc4e9d229aeb0714c1a3d2'
-            '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
+            '792da71f113aa15177a654e08a31dabd9be864ceb42f64d55cc46d18875c475b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
             '617ee2a7b3e81184dc82df8b800898092b1001fdbd57c3edc317512e3aee70a0')

-package() {
+build() {
     cd "$pkgname-$pkgver"
     export NODE_ENV=production
-    npm install --user root --prefix "$pkgdir/usr/share/webapps/$pkgname" --cache "$srcdir"/npm-cache
-    bower install --allow-root
-    # remove unneeded man pages
-    sed -i '/"man/d' www/bower_components/marked/package.json
-    rm -r www/bower_components/marked/man
+    npm install --cache "$srcdir"/npm-cache
+    bower install -p --allow-root
+}
+
+package() {
+    cd "$pkgname-$pkgver"

     # npm gives ownership of ALL FILES to build user
     # https://bugs.archlinux.org/task/63396
     chown -R root:root "$pkgdir"

-    # Remove references to $pkgdir
-    find "$pkgdir" -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'
+    # remove unneeded man pages
+    sed -i '/"man/d' www/bower_components/marked/package.json
+    rm -r www/bower_components/marked/man
+
+    # Remove references to $srcdir
+    find . -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'

     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

     # Cryptpad
     install -Dt "$pkgdir/usr/share/webapps/$pkgname" package.json server.js
-    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib scripts www
+    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib node_modules scripts www
     rmdir "$pkgdir/usr/share/webapps/$pkgname/www/bower_components/codemirror/mode/rpm/changes"
     # Config
     sed -e "s|\(Path: '\)\./|\1/var/lib/cryptpad/|" \
@@ -51,9 +56,9 @@ package() {
         -i config/config.example.js

     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.js"
-    ln -s ../../../../etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
-    install -d "$pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs}
-    ln -s ../../../../var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"
+    ln -s /etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
+    install -dm 750 "$pkgdir/var/lib/$pkgname"/{,blob,block,data{,store},logs}
+    ln -s /var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"

     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
diff --git a/cryptpad.service b/cryptpad.service
index 672e7a9..c1cdf89 100644
--- a/cryptpad.service
+++ b/cryptpad.service
@@ -1,10 +1,16 @@
 [Unit]
 Description=CryptPad service
+After=network.target

 [Service]
-ExecStart=/usr/bin/node /usr/share/cryptpad/server.js
-WorkingDirectory=/usr/share/cryptpad
+ExecStart=/usr/bin/node /usr/share/webapps/cryptpad/server.js
+WorkingDirectory=/usr/share/webapps/cryptpad
 User=cryptpad
+Group=cryptpad
+ReadWritePaths=/var/lib/cryptpad
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes

 [Install]
 WantedBy=multi-user.target

buzo commented on 2021-04-04 17:33 (UTC)

Thanks ChrisTX, I wasn't aware of the Node.js packaging guidelines. I hope it works better now.

ChrisTX commented on 2021-03-27 23:45 (UTC)

Sorry, I was really busy and couldn't do anything.

The build process wasn't really that weird, it was inspired by the Node.js packaging guidelines but this isn't quite right in this case. You should use the production dependencies, and the node cache folder is important so it doesn't pollute the .npm folder of the build user, as described in the guidelines. In the same way, the find ... line and --user root commands are explained there and why they're needed.

Furthermore, the package still makes /usr writeable for the Cryptpad data, which is obviously not wanted. I've updated my previous patch to match the latest version:

diff --git a/PKGBUILD b/PKGBUILD
index b7029fb..b0400f5 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,17 +17,21 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
 sha256sums=('aefa5853981b11853aad60439071fa9e3b5e5fd0642cb48adf7cd1e8133dc8f5'
             '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
-            'dc2207b11876160ad42b2e65aea384437c11fba82c98d74e7eb6aa84b191c49b')
+            '8e5a200747cb77142cf6d08d3490fefc0d3142f196da13c84d3e530b30f6f72b')

 build() {
     cd "$pkgname-$pkgver"
-    npm install
-    bower install
+    export NODE_ENV=production
+    npm install --user root --cache "${srcdir}/npm-cache"
+    bower install --allow-root
 }

 package() {
     cd "$pkgname-$pkgver"

+    # make sure directory permissions are acceptable
+    find . -type d -exec chmod 755 {} +
+
     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

@@ -45,6 +49,12 @@ package() {
     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.example.js"
     ln -s "../../../etc/webapps/$pkgname" "$pkgdir/usr/share/$pkgname/config"

+    # File directories
+    ln -s "/var/lib/$pkgname/blob" "$pkgdir/usr/share/$pkgname/blob"
+    ln -s "/var/lib/$pkgname/block" "$pkgdir/usr/share/$pkgname/block"
+    ln -s "/var/lib/$pkgname/data" "$pkgdir/usr/share/$pkgname/data"
+    ln -s "/var/lib/$pkgname/datastore" "$pkgdir/usr/share/$pkgname/datastore"
+
     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
     install -Dm 644 "${srcdir}"/cryptpad.service "${pkgdir}"/usr/lib/systemd/system/cryptpad.service
diff --git a/cryptpad.tmpfiles b/cryptpad.tmpfiles
index c1d145a..9926ee2 100644
--- a/cryptpad.tmpfiles
+++ b/cryptpad.tmpfiles
@@ -1,3 +1,7 @@
-d /var/lib/cryptpad 0755 cryptpad cryptpad
-Z /usr/share/cryptpad - cryptpad cryptpad
-
+d /var/lib/cryptpad
+d /var/lib/cryptpad/blob
+d /var/lib/cryptpad/block
+d /var/lib/cryptpad/data
+d /var/lib/cryptpad/datastore
+d /var/lib/cryptpad/logs
+Z /var/lib/cryptpad 0750 cryptpad cryptpad

buzo commented on 2021-03-27 18:17 (UTC)

Okay, it should be fixed now. The build process was a bit weird before.

buzo commented on 2021-03-15 13:20 (UTC)

ChrisTX: Please go ahead and fix this package. I don't have enough time currently.

ChrisTX commented on 2021-03-13 23:51 (UTC) (edited on 2021-03-13 23:56 (UTC) by ChrisTX)

No, the node_modules folder is critical, that's where the dependencies go into. Without the folder, the app cannot run.

Cryptpad doesn't support global installation seemingly, and that's what's breaking. The PKGBUILD is inconsistent in how it wants to do this, that's what caused the error.

Furthermore, don't use tmpfiles to change permissions in /usr! It's not necessary, all that's missing are symlinks to /var/lib/cryptpad/... folders and these are writable and have correct permission. Don't make /usr/share/cryptpad actually writable and the data storage location for the pads. It should also not be world-readable.

The following should fix the package, although people who already installed the last version will need to fix permissions in /usr/share/cryptpad now.

diff --git a/PKGBUILD b/PKGBUILD
index 5ea587e..460ef68 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -14,18 +14,18 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
         "cryptpad.service"
         "cryptpad.sysusers"
         "cryptpad.tmpfiles")
-sha256sums=('a54a254f696f7aaa6e2492d6561bccd62919217c7ece3cff97179b9746802128'
+sha256sums=('0e769b0184741907bf5cdd0f5bb0488d43589435f2f102e53d7d64e666978a65'
             '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
-            'dc2207b11876160ad42b2e65aea384437c11fba82c98d74e7eb6aa84b191c49b')
+            '8e5a200747cb77142cf6d08d3490fefc0d3142f196da13c84d3e530b30f6f72b')

 package() {
     cd "$pkgname-$pkgver"

-    npm install -g --user root --prefix "${pkgdir}"/usr --cache "${srcdir}/npm-cache"
-    bower install --allow-root
+    export NODE_ENV=production

-    rm -r "$pkgdir"/usr
+    npm install --user root --cache "${srcdir}/npm-cache"
+    bower install --allow-root

     # make sure directory permissions are acceptable
     find . -type d -exec chmod 755 {} +
@@ -35,7 +35,7 @@ package() {

     # Cryptpad
     install -Dt "$pkgdir/usr/share/$pkgname" package.json server.js
-    cp -rt "$pkgdir/usr/share/$pkgname" customize.dist lib scripts www
+    cp -rt "$pkgdir/usr/share/$pkgname" customize.dist lib node_modules scripts www
     rmdir "$pkgdir/usr/share/$pkgname/www/bower_components/codemirror/mode/rpm/changes"

     # Config
@@ -47,6 +47,12 @@ package() {
     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.example.js"
     ln -s "../../../etc/webapps/$pkgname" "$pkgdir/usr/share/$pkgname/config"

+    # File directories
+    ln -s "/var/lib/$pkgname/blob" "$pkgdir/usr/share/$pkgname/blob"
+    ln -s "/var/lib/$pkgname/block" "$pkgdir/usr/share/$pkgname/block"
+    ln -s "/var/lib/$pkgname/data" "$pkgdir/usr/share/$pkgname/data"
+    ln -s "/var/lib/$pkgname/datastore" "$pkgdir/usr/share/$pkgname/datastore"
+
     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
     install -Dm 644 "${srcdir}"/cryptpad.service "${pkgdir}"/usr/lib/systemd/system/cryptpad.service
diff --git a/cryptpad.tmpfiles b/cryptpad.tmpfiles
index c1d145a..9926ee2 100644
--- a/cryptpad.tmpfiles
+++ b/cryptpad.tmpfiles
@@ -1,3 +1,7 @@
-d /var/lib/cryptpad 0755 cryptpad cryptpad
-Z /usr/share/cryptpad - cryptpad cryptpad
-
+d /var/lib/cryptpad
+d /var/lib/cryptpad/blob
+d /var/lib/cryptpad/block
+d /var/lib/cryptpad/data
+d /var/lib/cryptpad/datastore
+d /var/lib/cryptpad/logs
+Z /var/lib/cryptpad 0750 cryptpad cryptpad

buzo commented on 2021-03-13 10:37 (UTC)

spychodelics: I have removed node_modules, but I don't have time to test it now. Hope it still works …

satcom886: done (finally :)

spychodelics commented on 2021-03-09 15:07 (UTC) (edited on 2021-03-09 15:35 (UTC) by spychodelics)

4.1.0 fails with

cp: der Aufruf von stat für 'node_modules' ist nicht möglich: Datei oder Verzeichnis nicht gefunden

removing node_modules fixes building process but breakes the functionality

satcom886 commented on 2020-06-22 21:21 (UTC)

Other than that it works flawlessly (after I changed the owner of /usr/share/cryptpad to cryptpad).

satcom886 commented on 2020-06-22 20:42 (UTC)

I'm getting a permission error when starting the service for the first time. I think the /usr/share/cryptpad directory should be owned by the cryptpad user.

           if (err) { throw err; }
                      ^
[Error: EACCES: permission denied, mkdir '/usr/share/cryptpad/data'] {
  errno: -13,
  code: 'EACCES',
  syscall: 'mkdir',
  path: '/usr/share/cryptpad/data'
 }

anonfunc commented on 2019-10-04 07:47 (UTC)

Update to 3.2.0 is untested, since I currently don't have access to a running instance.

Please report any issues.