Arch Linux User Repository

Ok, I caught the trick: Use nodejs-lts-erbium instead of nodejs. So forget about the comments below.

If I change the directory rights of /var/lib/cryptpad to 770 and extend the service with UMask=0007, the error message changes to Can't remove login block, which seems to be again a 404 issue. The file is there, and the user http can delete it.

General question: Does it make sense to access /var/lib/cryptpad as http (nginx) instead of cryptpad (node)?

Unfortunately, I can not make this work. @buzo @ChrisTX Is this operational on your machines?

If I do a /checkup/, I get the message »Unable to create, retrieve, or remove encrypted credentials from the server.«, and a Can't read login block in the console, which seems to be reasonable to me, since the folder /var/lib/cryptpad is not accessible for nginx.

If I try a /login/, I get a 404 for the same reason, since nginx tries to access a URL .../block/... (although, however, the requested file is there).

How to fix this and leave the security measures (which I am not understanding fully) of Arch in place? Thank you in advance.

Uhmm... I'm quite unfamiliar with webapps, but i think I really need to try this out, because this is a thing i have long searched for (good self hosted, online office). But when I have intalled the package, how do I run it. I am a noob, btw.

Many thanks for your detailed explanation and patch, ChrisTX! (I noticed it a bit late though.)

I have just applied your patch as-is and will test myself later when I have the time.

Thanks a lot for the hard work, buzo. I've tried your latest build, and noticed the following issues now:

• The node_modules folder isn't populated as intended, so it doesn't start up once again. This is because --prefix only really works with -g, see the npm docs here. To explain, with --prefix or -g and a local path (and just executing it without any further parameter is like executing it with path ./), npm creates a symlink to a global directory with the binaries populated (cryptpad has none set). The model of installing as we want it to work only works if you use npm install -g against a .tgz created by npm pack. It's possible to use the tar file that way, but the resulting directory structure is a gigantic mess and it's only really reasonable for applications that have a populated binary array. I believe having the build step and then copying over the needed files is less messy than trying to do that since cryptpad is not designed for that installation model.
• The .service file needs updating to the new (correct) path in /webapps (thanks by the way, I on the other hand was not aware of the Web App packaging guidelines! :D ) It also lacks any sort of hardening.
• The permissions on the $pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs} folders differ from the package towards the tmpfiles.d values, 755 vs 750, so it complains upon installation. I'm not sure if it's "cleaner" to use tmpfiles to create the files, or this way, but relying on tmpfiles makes namcap complain, so it's probably fine.

In total, the patch below is what I've come up with, including hardening. I'm also running an instance of cryptpad myself with this package, and I can confirm with those it works fine using a minimally adjusted nginx configuration. As an added extra, it would be conceivable correcting the path to cryptpad in the example file installed as documentation (this line here).

iff --git a/PKGBUILD b/PKGBUILD
index 48b85aa..40eec9d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,32 +17,37 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
         "cryptpad.sysusers"
         "cryptpad.tmpfiles")
 sha256sums=('7d4d3652e911b5f78439c7b2deea48ad0df179a633dc4e9d229aeb0714c1a3d2'
-            '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
+            '792da71f113aa15177a654e08a31dabd9be864ceb42f64d55cc46d18875c475b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
             '617ee2a7b3e81184dc82df8b800898092b1001fdbd57c3edc317512e3aee70a0')

-package() {
+build() {
     cd "$pkgname-$pkgver"
     export NODE_ENV=production
-    npm install --user root --prefix "$pkgdir/usr/share/webapps/$pkgname" --cache "$srcdir"/npm-cache
-    bower install --allow-root
-    # remove unneeded man pages
-    sed -i '/"man/d' www/bower_components/marked/package.json
-    rm -r www/bower_components/marked/man
+    npm install --cache "$srcdir"/npm-cache
+    bower install -p --allow-root
+}
+
+package() {
+    cd "$pkgname-$pkgver"

     # npm gives ownership of ALL FILES to build user
     # https://bugs.archlinux.org/task/63396
     chown -R root:root "$pkgdir"

-    # Remove references to $pkgdir
-    find "$pkgdir" -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'
+    # remove unneeded man pages
+    sed -i '/"man/d' www/bower_components/marked/package.json
+    rm -r www/bower_components/marked/man
+
+    # Remove references to $srcdir
+    find . -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'

     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

     # Cryptpad
     install -Dt "$pkgdir/usr/share/webapps/$pkgname" package.json server.js
-    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib scripts www
+    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib node_modules scripts www
     rmdir "$pkgdir/usr/share/webapps/$pkgname/www/bower_components/codemirror/mode/rpm/changes"
     # Config
     sed -e "s|\(Path: '\)\./|\1/var/lib/cryptpad/|" \
@@ -51,9 +56,9 @@ package() {
         -i config/config.example.js

     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.js"
-    ln -s ../../../../etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
-    install -d "$pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs}
-    ln -s ../../../../var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"
+    ln -s /etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
+    install -dm 750 "$pkgdir/var/lib/$pkgname"/{,blob,block,data{,store},logs}
+    ln -s /var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"

     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
diff --git a/cryptpad.service b/cryptpad.service
index 672e7a9..c1cdf89 100644
--- a/cryptpad.service
+++ b/cryptpad.service
@@ -1,10 +1,16 @@
 [Unit]
 Description=CryptPad service
+After=network.target

 [Service]
-ExecStart=/usr/bin/node /usr/share/cryptpad/server.js
-WorkingDirectory=/usr/share/cryptpad
+ExecStart=/usr/bin/node /usr/share/webapps/cryptpad/server.js
+WorkingDirectory=/usr/share/webapps/cryptpad
 User=cryptpad
+Group=cryptpad
+ReadWritePaths=/var/lib/cryptpad
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes

 [Install]
 WantedBy=multi-user.target

Thanks ChrisTX, I wasn't aware of the Node.js packaging guidelines. I hope it works better now.

Sorry, I was really busy and couldn't do anything.

The build process wasn't really that weird, it was inspired by the Node.js packaging guidelines but this isn't quite right in this case. You should use the production dependencies, and the node cache folder is important so it doesn't pollute the .npm folder of the build user, as described in the guidelines. In the same way, the find ... line and --user root commands are explained there and why they're needed.

Furthermore, the package still makes /usr writeable for the Cryptpad data, which is obviously not wanted. I've updated my previous patch to match the latest version:

diff --git a/PKGBUILD b/PKGBUILD
index b7029fb..b0400f5 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,17 +17,21 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
 sha256sums=('aefa5853981b11853aad60439071fa9e3b5e5fd0642cb48adf7cd1e8133dc8f5'
             '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
-            'dc2207b11876160ad42b2e65aea384437c11fba82c98d74e7eb6aa84b191c49b')
+            '8e5a200747cb77142cf6d08d3490fefc0d3142f196da13c84d3e530b30f6f72b')

 build() {
     cd "$pkgname-$pkgver"
-    npm install
-    bower install
+    export NODE_ENV=production
+    npm install --user root --cache "${srcdir}/npm-cache"
+    bower install --allow-root
 }

 package() {
     cd "$pkgname-$pkgver"

+    # make sure directory permissions are acceptable
+    find . -type d -exec chmod 755 {} +
+
     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

@@ -45,6 +49,12 @@ package() {
     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.example.js"
     ln -s "../../../etc/webapps/$pkgname" "$pkgdir/usr/share/$pkgname/config"

+    # File directories
+    ln -s "/var/lib/$pkgname/blob" "$pkgdir/usr/share/$pkgname/blob"
+    ln -s "/var/lib/$pkgname/block" "$pkgdir/usr/share/$pkgname/block"
+    ln -s "/var/lib/$pkgname/data" "$pkgdir/usr/share/$pkgname/data"
+    ln -s "/var/lib/$pkgname/datastore" "$pkgdir/usr/share/$pkgname/datastore"
+
     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
     install -Dm 644 "${srcdir}"/cryptpad.service "${pkgdir}"/usr/lib/systemd/system/cryptpad.service
diff --git a/cryptpad.tmpfiles b/cryptpad.tmpfiles
index c1d145a..9926ee2 100644
--- a/cryptpad.tmpfiles
+++ b/cryptpad.tmpfiles
@@ -1,3 +1,7 @@
-d /var/lib/cryptpad 0755 cryptpad cryptpad
-Z /usr/share/cryptpad - cryptpad cryptpad
-
+d /var/lib/cryptpad
+d /var/lib/cryptpad/blob
+d /var/lib/cryptpad/block
+d /var/lib/cryptpad/data
+d /var/lib/cryptpad/datastore
+d /var/lib/cryptpad/logs
+Z /var/lib/cryptpad 0750 cryptpad cryptpad

Okay, it should be fixed now. The build process was a bit weird before.

ChrisTX: Please go ahead and fix this package. I don't have enough time currently.