Package Details: cryptpad 4.3.1-4

Git Clone URL: https://aur.archlinux.org/cryptpad.git (read-only, click to copy)
Package Base: cryptpad
Description: Realtime collaborative visual editor with zero knowlege server
Upstream URL: https://github.com/xwiki-labs/cryptpad
Keywords: collaborative
Licenses: AGPL3
Submitter: anonfunc
Maintainer: buzo
Last Packager: buzo
Votes: 5
Popularity: 0.68
First Submitted: 2019-06-08 16:40
Last Updated: 2021-04-05 19:25

Latest Comments

1 2 Next › Last »

buzo commented on 2021-04-05 19:26

Many thanks for your detailed explanation and patch, ChrisTX! (I noticed it a bit late though.)

I have just applied your patch as-is and will test myself later when I have the time.

ChrisTX commented on 2021-04-05 03:59

Thanks a lot for the hard work, buzo. I've tried your latest build, and noticed the following issues now:

  • The node_modules folder isn't populated as intended, so it doesn't start up once again. This is because --prefix only really works with -g, see the npm docs here. To explain, with --prefix or -g and a local path (and just executing it without any further parameter is like executing it with path ./), npm creates a symlink to a global directory with the binaries populated (cryptpad has none set). The model of installing as we want it to work only works if you use npm install -g against a .tgz created by npm pack. It's possible to use the tar file that way, but the resulting directory structure is a gigantic mess and it's only really reasonable for applications that have a populated binary array. I believe having the build step and then copying over the needed files is less messy than trying to do that since cryptpad is not designed for that installation model.
  • The .service file needs updating to the new (correct) path in /webapps (thanks by the way, I on the other hand was not aware of the Web App packaging guidelines! :D ) It also lacks any sort of hardening.
  • The permissions on the $pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs} folders differ from the package towards the tmpfiles.d values, 755 vs 750, so it complains upon installation. I'm not sure if it's "cleaner" to use tmpfiles to create the files, or this way, but relying on tmpfiles makes namcap complain, so it's probably fine.

In total, the patch below is what I've come up with, including hardening. I'm also running an instance of cryptpad myself with this package, and I can confirm with those it works fine using a minimally adjusted nginx configuration. As an added extra, it would be conceivable correcting the path to cryptpad in the example file installed as documentation (this line here).

iff --git a/PKGBUILD b/PKGBUILD
index 48b85aa..40eec9d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,32 +17,37 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
         "cryptpad.sysusers"
         "cryptpad.tmpfiles")
 sha256sums=('7d4d3652e911b5f78439c7b2deea48ad0df179a633dc4e9d229aeb0714c1a3d2'
-            '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
+            '792da71f113aa15177a654e08a31dabd9be864ceb42f64d55cc46d18875c475b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
             '617ee2a7b3e81184dc82df8b800898092b1001fdbd57c3edc317512e3aee70a0')

-package() {
+build() {
     cd "$pkgname-$pkgver"
     export NODE_ENV=production
-    npm install --user root --prefix "$pkgdir/usr/share/webapps/$pkgname" --cache "$srcdir"/npm-cache
-    bower install --allow-root
-    # remove unneeded man pages
-    sed -i '/"man/d' www/bower_components/marked/package.json
-    rm -r www/bower_components/marked/man
+    npm install --cache "$srcdir"/npm-cache
+    bower install -p --allow-root
+}
+
+package() {
+    cd "$pkgname-$pkgver"

     # npm gives ownership of ALL FILES to build user
     # https://bugs.archlinux.org/task/63396
     chown -R root:root "$pkgdir"

-    # Remove references to $pkgdir
-    find "$pkgdir" -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'
+    # remove unneeded man pages
+    sed -i '/"man/d' www/bower_components/marked/package.json
+    rm -r www/bower_components/marked/man
+
+    # Remove references to $srcdir
+    find . -type f -name package.json -print0 | xargs -0 sed -i '/_where/d'

     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

     # Cryptpad
     install -Dt "$pkgdir/usr/share/webapps/$pkgname" package.json server.js
-    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib scripts www
+    cp -rt "$pkgdir/usr/share/webapps/$pkgname" customize.dist lib node_modules scripts www
     rmdir "$pkgdir/usr/share/webapps/$pkgname/www/bower_components/codemirror/mode/rpm/changes"
     # Config
     sed -e "s|\(Path: '\)\./|\1/var/lib/cryptpad/|" \
@@ -51,9 +56,9 @@ package() {
         -i config/config.example.js

     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.js"
-    ln -s ../../../../etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
-    install -d "$pkgdir/var/lib/$pkgname"/{blob,block,data{,store},logs}
-    ln -s ../../../../var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"
+    ln -s /etc/webapps/"$pkgname" "$pkgdir/usr/share/webapps/$pkgname/config"
+    install -dm 750 "$pkgdir/var/lib/$pkgname"/{,blob,block,data{,store},logs}
+    ln -s /var/lib/"$pkgname"/{blob,block,data{,store}} "$pkgdir/usr/share/webapps/$pkgname"

     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
diff --git a/cryptpad.service b/cryptpad.service
index 672e7a9..c1cdf89 100644
--- a/cryptpad.service
+++ b/cryptpad.service
@@ -1,10 +1,16 @@
 [Unit]
 Description=CryptPad service
+After=network.target

 [Service]
-ExecStart=/usr/bin/node /usr/share/cryptpad/server.js
-WorkingDirectory=/usr/share/cryptpad
+ExecStart=/usr/bin/node /usr/share/webapps/cryptpad/server.js
+WorkingDirectory=/usr/share/webapps/cryptpad
 User=cryptpad
+Group=cryptpad
+ReadWritePaths=/var/lib/cryptpad
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes

 [Install]
 WantedBy=multi-user.target

buzo commented on 2021-04-04 17:33

Thanks ChrisTX, I wasn't aware of the Node.js packaging guidelines. I hope it works better now.

ChrisTX commented on 2021-03-27 23:45

Sorry, I was really busy and couldn't do anything.

The build process wasn't really that weird, it was inspired by the Node.js packaging guidelines but this isn't quite right in this case. You should use the production dependencies, and the node cache folder is important so it doesn't pollute the .npm folder of the build user, as described in the guidelines. In the same way, the find ... line and --user root commands are explained there and why they're needed.

Furthermore, the package still makes /usr writeable for the Cryptpad data, which is obviously not wanted. I've updated my previous patch to match the latest version:

diff --git a/PKGBUILD b/PKGBUILD
index b7029fb..b0400f5 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,17 +17,21 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
 sha256sums=('aefa5853981b11853aad60439071fa9e3b5e5fd0642cb48adf7cd1e8133dc8f5'
             '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
-            'dc2207b11876160ad42b2e65aea384437c11fba82c98d74e7eb6aa84b191c49b')
+            '8e5a200747cb77142cf6d08d3490fefc0d3142f196da13c84d3e530b30f6f72b')

 build() {
     cd "$pkgname-$pkgver"
-    npm install
-    bower install
+    export NODE_ENV=production
+    npm install --user root --cache "${srcdir}/npm-cache"
+    bower install --allow-root
 }

 package() {
     cd "$pkgname-$pkgver"

+    # make sure directory permissions are acceptable
+    find . -type d -exec chmod 755 {} +
+
     # Documentation
     install -t "$pkgdir/usr/share/doc/$pkgname" -Dm 644 docs/{ARCHITECTURE.md,example.nginx.conf} CHANGELOG.md

@@ -45,6 +49,12 @@ package() {
     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.example.js"
     ln -s "../../../etc/webapps/$pkgname" "$pkgdir/usr/share/$pkgname/config"

+    # File directories
+    ln -s "/var/lib/$pkgname/blob" "$pkgdir/usr/share/$pkgname/blob"
+    ln -s "/var/lib/$pkgname/block" "$pkgdir/usr/share/$pkgname/block"
+    ln -s "/var/lib/$pkgname/data" "$pkgdir/usr/share/$pkgname/data"
+    ln -s "/var/lib/$pkgname/datastore" "$pkgdir/usr/share/$pkgname/datastore"
+
     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
     install -Dm 644 "${srcdir}"/cryptpad.service "${pkgdir}"/usr/lib/systemd/system/cryptpad.service
diff --git a/cryptpad.tmpfiles b/cryptpad.tmpfiles
index c1d145a..9926ee2 100644
--- a/cryptpad.tmpfiles
+++ b/cryptpad.tmpfiles
@@ -1,3 +1,7 @@
-d /var/lib/cryptpad 0755 cryptpad cryptpad
-Z /usr/share/cryptpad - cryptpad cryptpad
-
+d /var/lib/cryptpad
+d /var/lib/cryptpad/blob
+d /var/lib/cryptpad/block
+d /var/lib/cryptpad/data
+d /var/lib/cryptpad/datastore
+d /var/lib/cryptpad/logs
+Z /var/lib/cryptpad 0750 cryptpad cryptpad

buzo commented on 2021-03-27 18:17

Okay, it should be fixed now. The build process was a bit weird before.

buzo commented on 2021-03-15 13:20

ChrisTX: Please go ahead and fix this package. I don't have enough time currently.

ChrisTX commented on 2021-03-13 23:51

No, the node_modules folder is critical, that's where the dependencies go into. Without the folder, the app cannot run.

Cryptpad doesn't support global installation seemingly, and that's what's breaking. The PKGBUILD is inconsistent in how it wants to do this, that's what caused the error.

Furthermore, don't use tmpfiles to change permissions in /usr! It's not necessary, all that's missing are symlinks to /var/lib/cryptpad/... folders and these are writable and have correct permission. Don't make /usr/share/cryptpad actually writable and the data storage location for the pads. It should also not be world-readable.

The following should fix the package, although people who already installed the last version will need to fix permissions in /usr/share/cryptpad now.

diff --git a/PKGBUILD b/PKGBUILD
index 5ea587e..460ef68 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -14,18 +14,18 @@ source=("$pkgname-$pkgver.tar.gz::https://github.com/xwiki-labs/cryptpad/archive
         "cryptpad.service"
         "cryptpad.sysusers"
         "cryptpad.tmpfiles")
-sha256sums=('a54a254f696f7aaa6e2492d6561bccd62919217c7ece3cff97179b9746802128'
+sha256sums=('0e769b0184741907bf5cdd0f5bb0488d43589435f2f102e53d7d64e666978a65'
             '522851fbe4e0e41fd6ece8b2b0ed17bbae0233a58328b7994a5207aa341a635b'
             '999a271d64b75c7c447fdb21486b27463c04679677e57ea9551a3b0429c618f6'
-            'dc2207b11876160ad42b2e65aea384437c11fba82c98d74e7eb6aa84b191c49b')
+            '8e5a200747cb77142cf6d08d3490fefc0d3142f196da13c84d3e530b30f6f72b')

 package() {
     cd "$pkgname-$pkgver"

-    npm install -g --user root --prefix "${pkgdir}"/usr --cache "${srcdir}/npm-cache"
-    bower install --allow-root
+    export NODE_ENV=production

-    rm -r "$pkgdir"/usr
+    npm install --user root --cache "${srcdir}/npm-cache"
+    bower install --allow-root

     # make sure directory permissions are acceptable
     find . -type d -exec chmod 755 {} +
@@ -35,7 +35,7 @@ package() {

     # Cryptpad
     install -Dt "$pkgdir/usr/share/$pkgname" package.json server.js
-    cp -rt "$pkgdir/usr/share/$pkgname" customize.dist lib scripts www
+    cp -rt "$pkgdir/usr/share/$pkgname" customize.dist lib node_modules scripts www
     rmdir "$pkgdir/usr/share/$pkgname/www/bower_components/codemirror/mode/rpm/changes"

     # Config
@@ -47,6 +47,12 @@ package() {
     install -Dm 644 config/config.example.js "${pkgdir}/etc/webapps/$pkgname/config.example.js"
     ln -s "../../../etc/webapps/$pkgname" "$pkgdir/usr/share/$pkgname/config"

+    # File directories
+    ln -s "/var/lib/$pkgname/blob" "$pkgdir/usr/share/$pkgname/blob"
+    ln -s "/var/lib/$pkgname/block" "$pkgdir/usr/share/$pkgname/block"
+    ln -s "/var/lib/$pkgname/data" "$pkgdir/usr/share/$pkgname/data"
+    ln -s "/var/lib/$pkgname/datastore" "$pkgdir/usr/share/$pkgname/datastore"
+
     # systemd
     install -Dm 644 "${srcdir}"/cryptpad.sysusers "${pkgdir}"/usr/lib/sysusers.d/cryptpad.conf
     install -Dm 644 "${srcdir}"/cryptpad.service "${pkgdir}"/usr/lib/systemd/system/cryptpad.service
diff --git a/cryptpad.tmpfiles b/cryptpad.tmpfiles
index c1d145a..9926ee2 100644
--- a/cryptpad.tmpfiles
+++ b/cryptpad.tmpfiles
@@ -1,3 +1,7 @@
-d /var/lib/cryptpad 0755 cryptpad cryptpad
-Z /usr/share/cryptpad - cryptpad cryptpad
-
+d /var/lib/cryptpad
+d /var/lib/cryptpad/blob
+d /var/lib/cryptpad/block
+d /var/lib/cryptpad/data
+d /var/lib/cryptpad/datastore
+d /var/lib/cryptpad/logs
+Z /var/lib/cryptpad 0750 cryptpad cryptpad

buzo commented on 2021-03-13 10:37

spychodelics: I have removed node_modules, but I don't have time to test it now. Hope it still works …

satcom886: done (finally :)

spychodelics commented on 2021-03-09 15:07

4.1.0 fails with

cp: der Aufruf von stat für 'node_modules' ist nicht möglich: Datei oder Verzeichnis nicht gefunden

removing node_modules fixes building process but breakes the functionality

satcom886 commented on 2020-06-22 21:21

Other than that it works flawlessly (after I changed the owner of /usr/share/cryptpad to cryptpad).