Search Criteria
Package Details: cryptpad 5.3.0-1
Package Actions
Git Clone URL: | https://aur.archlinux.org/cryptpad.git (read-only, click to copy) |
---|---|
Package Base: | cryptpad |
Description: | Realtime collaborative visual editor with zero knowlege server |
Upstream URL: | https://github.com/cryptpad/cryptpad |
Keywords: | collaborative |
Licenses: | AGPL3 |
Submitter: | anonfunc |
Maintainer: | buzo |
Last Packager: | buzo |
Votes: | 8 |
Popularity: | 0.002509 |
First Submitted: | 2019-06-08 16:40 (UTC) |
Last Updated: | 2023-05-29 18:01 (UTC) |
Dependencies (7)
- nodejs (nodejs6-bin, nodejs-nightly, nodejs-git, nodejs-lts-fermium, nodejs-lts-gallium, nodejs-lts-hydrogen)
- bower (make)
- git (git-vfs, git-run-command-patch-git, git-git, git-fc) (make)
- npm (nodejs6-bin, nodejs-nightly, corepacker) (make)
- certbot (certbot-git) (optional) – Let’s Encrypt – automatically receive and install X.509 certificates to enable TLS
- certbot-nginx (certbot-nginx-git) (optional) – Nginx plugin for Let’s Encrypt client
- nginx (nginx-nchan-git, nginx-nchan, nginx-pagespeed, nginx-pagespeed-src, nginx-rtmp, nginx-rtmp-src, nginx-rtmp-sergey-git, nginx-mainline-libressl, nginx-mainline-boringssl, nginx-minimal, nginx-quic-vkontakte, zestginx, nginx-quiche, nginx-quic-openssl-hg, nginx-mainline-pushstream, nginx-libressl, tengine, nginx-quic, tengine-extra, nginx-mainline) (optional) – HTTP server providing TLS
Latest Comments
1 2 3 Next › Last »
RoKoInfo commented on 2021-09-11 08:48 (UTC)
@buzo @ChrisTX I see the
cryptpad:http
combinations for e.g.blob
, however, the combinationcryptpad:cryptpad
and0750
still does not allow read access for nginx for e.g. blob, so login is still prohibited in the current situation. At least on my machine, so please recheck. Thanks.RoKoInfo commented on 2021-07-22 18:54 (UTC)
@buzo @ChrisTX This approach only works for me, if
/var/lib/cryptpad
is world readable. Otherwise I can not log in, aka I receive a "Permission denied" from nginx, when trying to read a block. Please check from your side.buzo commented on 2021-07-09 10:43 (UTC)
Thanks ChrisTX – I've adjusted the permissions in the package as suggested.
RoKoInfo commented on 2021-07-01 19:11 (UTC)
Sorry, misleading description:
groups http
=http cryptpad
andgroups cryptpad
=cryptpad
. Giveshttp
the theoretical access to some unneeded folders, but it is very simple. I do not think that this is a security issue, however, as soon as it is implemented in the package, I would follow the approach of choice there.ChrisTX commented on 2021-06-29 20:16 (UTC)
No, I mean,
cryptpad
shouldn't be part ofhttp
. That will allow it to read all files available to the web services, a permission which it doesn't need to have. Disregarding POSIX ACLs, the only 'proper' way of doing this is changing ownership tocryptpad:http
and then setting the setgid bit on each of the subfolders nginx needs to access. I've done that right now in my own setup, but the package should do that.RoKoInfo commented on 2021-06-29 19:55 (UTC)
@ChrisTX Yes, you are right. I replaced again the LTS version with
nodejs
, and it seems to work. It is the read access ofhttp
to the folders you mention. Currently, I addedhttp
to the groupcryptpad
, which then allows for it, and which I think is not part of the PKGBUILD right now, right?ChrisTX commented on 2021-06-29 12:27 (UTC)
@RoKoInfo No you're not wrong. The way cryptpad handles
/blob
and/block
is by usingtry_files
with nginx - so the server needs to be able to access those folders. Cryptpad should run fine withnodejs
, and not require the LTS variant.This is a bit of a mess, but the only reasonable solution I can see is to make the
blob
,block
anddatastore
(that's for debugging purposes only tho) readable by nginx, i.e.http
. Additionally, this will need the setgid bit on the folder. It's not necessary to makedata
orlogs
readable by nginx, they'll only be accessed by the nodejs service.There's no real beautiful solution for cryptpad overall, as the app is supposed to be run in its source folder, and not really the way you'd package it.
RoKoInfo commented on 2021-06-20 10:32 (UTC)
Ok, I caught the trick: Use
nodejs-lts-erbium
instead ofnodejs
. So forget about the comments below.RoKoInfo commented on 2021-06-05 12:57 (UTC)
If I change the directory rights of
/var/lib/cryptpad
to770
and extend the service withUMask=0007
, the error message changes toCan't remove login block
, which seems to be again a 404 issue. The file is there, and the userhttp
can delete it.General question: Does it make sense to access
/var/lib/cryptpad
ashttp
(nginx) instead ofcryptpad
(node)?RoKoInfo commented on 2021-06-05 10:47 (UTC) (edited on 2021-06-05 10:48 (UTC) by RoKoInfo)
Unfortunately, I can not make this work. @buzo @ChrisTX Is this operational on your machines?
If I do a
/checkup/
, I get the message »Unable to create, retrieve, or remove encrypted credentials from the server.«, and aCan't read login block
in the console, which seems to be reasonable to me, since the folder/var/lib/cryptpad
is not accessible for nginx.If I try a
/login/
, I get a 404 for the same reason, since nginx tries to access a URL.../block/...
(although, however, the requested file is there).How to fix this and leave the security measures (which I am not understanding fully) of Arch in place? Thank you in advance.
1 2 3 Next › Last »