Saturday, October 26, 2024
apps@conference.yunohost.org
October
Mon Tue Wed Thu Fri Sat Sun
  1
2
3
4
5
6
7
8
9 10
11
12 13
14 15
16 17 18 19
20
21
22
23
24
25
26
27
28
29
30
31
     
             

[07:53:13] <tituspijean> > <@Alekswag:matrix.org> please don't put password in such file, the systemd service conf is world readable

that rings a bell, somehow my daemon.log contains warnings about vaultwarden and conduit's services configuration being world-inaccessible
[07:54:37] <tituspijean> sure enough:
```
sudo ls -la /etc/systemd/system/{vaultwarden.service,conduit.service,wetty.service}
-r-------- 1 root root 1719 Oct 6 21:07 /etc/systemd/system/conduit.service
-r-------- 1 root root 998 Sep 16 20:40 /etc/systemd/system/vaultwarden.service
-rw-r--r-- 1 root root 1839 Mar 31 2024 /etc/systemd/system/wetty.service
```
should I just chmod them?
[11:51:39] <Yunohost Git/Infra notifications> App jellyfin failed all tests in job [#31397](https://ci-apps.yunohost.org/ci/job/31397) :(
[11:57:58] <Yunohost Git/Infra notifications> App vaultwarden failed all tests in job [#31310](https://ci-apps.yunohost.org/ci/job/31310) :(
[18:55:14] <Yunohost Git/Infra notifications> App nocodb stays at level 1 in job [#30843](https://ci-apps.yunohost.org/ci/job/30843)
[18:58:01] <Yunohost Git/Infra notifications> App mattermost rises from level 6 to 8 in job [#31681](https://ci-apps.yunohost.org/ci/job/31681) !
[19:46:40] <Aleks (he/him/il/lui)> > <@titus:pijean.ovh> that rings a bell, somehow my daemon.log contains warnings about vaultwarden and conduit's services configuration being world-inaccessible

eeeh, that sound like a good thing that it's world-inacessible, dont understand why daemon.log complaints about it ?
[20:40:44] <tituspijean> hum sorry, not daemon.log, but journalctl
[20:41:19] <Aleks (he/him/il/lui)> 🪵
[20:41:39] <tituspijean> coming :)
[20:42:28] <tituspijean> ```
journalctl -g world
Sep 23 19:18:39 pijean.ovh systemd[1]: Configuration file /etc/systemd/system/vaultwarden.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Sep 26 06:58:57 pijean.ovh systemd[1]: Configuration file /etc/systemd/system/conduit.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
```
[20:42:56] <Aleks (he/him/il/lui)> 🤔
[20:43:19] <Aleks (he/him/il/lui)> ah i see
[20:44:08] <Aleks (he/him/il/lui)> interesting, dunno what API exactly it's refering to (maybe any user can call `systemctl cat foobar.service` or something idk
[20:45:00] <tituspijean> interestingly no:
```
systemctl cat conduit.service
Failed to cat /etc/systemd/system/conduit.service: Permission denied
```
[20:45:42] <Aleks (he/him/il/lui)> what about `show` ?
[20:46:15] <tituspijean> yup:
```
systemctl show conduit.service
Type=simple
ExitType=main
Restart=always
NotifyAccess=none
RestartUSec=100ms
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
...
```