From f6de3fd6689165303b791722414f2f3360204136 Mon Sep 17 00:00:00 2001 From: Plailect Date: Tue, 12 Mar 2019 13:17:51 -0400 Subject: [PATCH] Start appservice-irc as non-root --- .../matrix-synapse/tasks/ext/appservice-irc/setup.yml | 11 +++++++++++ .../systemd/matrix-appservice-irc.service.j2 | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml index 9f79c3838..5c75554dc 100644 --- a/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml +++ b/roles/matrix-synapse/tasks/ext/appservice-irc/setup.yml @@ -54,6 +54,8 @@ - name: Generate matrix-appservice-irc registration.yaml if it doesn't exist shell: >- /usr/bin/docker run --rm --name matrix-appservice-irc-gen + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ -v {{ matrix_appservice_irc_base_path }}:/data:z {{ matrix_appservice_irc_docker_image }} node app.js @@ -82,6 +84,15 @@ {{ ["{{ matrix_synapse_app_service_config_file_appservice_irc }}"] | to_nice_json }} when: "matrix_appservice_irc_enabled" +- name: Ensure IRC configuration directory permissions are correct + file: + path: "{{ matrix_appservice_irc_base_path }}" + state: directory + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + recurse: true + when: "matrix_appservice_irc_enabled" + # # Tasks related to getting rid of matrix-appservice-irc (if it was previously enabled) # diff --git a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 index 2353796b0..1b5b4fc0d 100644 --- a/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-synapse/templates/ext/appservice-irc/systemd/matrix-appservice-irc.service.j2 @@ -11,7 +11,8 @@ ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ --log-driver=none \ - -e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ {% if matrix_appservice_irc_container_expose_client_server_api_port %} -p 127.0.0.1:9999:9999 \