Matter server weird permission issues

am_lazytude · March 9, 2025, 5:44pm

Enabled the server:

  services.matter-server.enable = true;

systemd unit log output:

Started Matter Server.
(MainThread) INFO [matter_server.server.stack] Initializing CHIP/Matter Logging...
(MainThread) INFO [matter_server.server.stack] Initializing CHIP/Matter Controller Stack...
(MainThread) DEBUG [matter_server.server.stack] Using storage file: /var/lib/matter-server/chip.json - Bluetooth commissioning enabled: NO
[1741533508.087392][2017658:2017658] CHIP:CTL: Setting attestation nonce to random value
[1741533508.087416][2017658:2017658] CHIP:CTL: Setting CSR nonce to random value
[1741533508.087860][2017658:2017658] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /tmp/chip_kvs
[1741533508.152061][2017658:2017658] CHIP:DL: Wrote settings to /tmp/chip_kvs
[1741533508.152194][2017658:2017658] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /data/chip_factory.ini
[1741533508.152233][2017658:2017658] CHIP:DL: Failed to create temp file /data/chip_factory.ini-BoBS9C: Permission denied

And then dies.

The /var/lib/matter-server folder/symlink did not exist before.
Afterwards permissions look like this:

$ ll /var/lib/
lrwxrwxrwx  1 root            root            21  9. Mär 16:18 matter-server -> private/matter-server
$ ll /var/lib/private
drwxr-xr-x 2 nobody nogroup 2  9. Mär 16:18 matter-server
$ ll /var/lib/private/matter-server
<empty>

systemctl cat matter-server.service:

# /etc/systemd/system/matter-server.service
[Unit]
After=network-online.target
Before=home-assistant.service
Description=Matter Server
Wants=network-online.target

[Service]
Environment="HOME=/var/lib/matter-server"
Environment="LOCALE_ARCHIVE=/nix/store/i7inm24z817bdph4c8niqld7ydsv1f5y-glibc-locales-2.40-66/lib/locale/locale-archive"
Environment="PATH=/nix/store/fr9yr63a1267cr0r86w18c77mh3xavcc-coreutils-9.6/bin:/nix/store/lk2sg2yq5jqs9dlx5ini46kvjwk7ffsf-findutils-4.10.0/bin:/nix/store/yz6nq9v29l3g990w8zlqsnzl>
Environment="TZDIR=/nix/store/pzi38xllbgp4pisk17l4hi28mhr67xkq-tzdata-2025a/share/zoneinfo"
AmbientCapabilities=
BindPaths=/var/lib/matter-server:/data
CapabilityBoundingSet=
DevicePolicy=closed
DynamicUser=true
ExecStart=/nix/store/lpk47l0bwrgxzik2vsy46z4nzs2nb7yp-python3.12-python-matter-server-7.0.1/bin/matter-server --port 5580 --vendorid 4939 --storage-path /var/lib/matter-server  --log-level debug
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ReadOnlyPaths=/nix/store /run/dbus
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_NETLINK
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=matter-server
SystemCallFilter=~ @clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap
TemporaryFileSystem=/
UMask=0077

[Install]
WantedBy=multi-user.target

Since the unit uses DynamicUser=true the /var/lib/matter-server/folder is symlinked and always chowned to the random user when the systemd unit starts. And BindPaths=/var/lib/matter-server:/data binds /data to that folder.

So why does the user not have write permission to that folder? And since everything is created automatically from systemd why do no others face that issue?
Any ideas? Or an idea how to debug this?

hexa · March 9, 2025, 6:55pm

A fix was prepared and needs review in

github.com/NixOS/nixpkgs

nixos/matter-server: fix permission denied error in 7.0.1

NixOS:master ← leonm1:fix/matter-server

opened 01:30AM - 24 Feb 25 UTC

leonm1

+34 -24

Remove `DynamicUser=yes`, which causes a permission denied error when the matter… SDK tries to write its config file. The error looks like this: ``` [1740088364.983513][49694:49694] CHIP:DL: Failed to create temp file /data/chip_factory.ini-gR0axc: Permission denied ``` I can't quite figure out why there's an error, but it appears to be something involving the ordering of bind mounts and permissions. After this change, the error no longer triggers. Systemd should migrate the config from DynamicUser=yes to DynamicUser=no automatically, leaving a snarky message in the journal. ## Things done - Built on platform(s) - [x] x86_64-linux - [x] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [x] `sandbox = true` - [x] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).  --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

am_lazytude · March 9, 2025, 7:16pm

The fix to switch off dynamic user yields:

matter-server.service: Failed to set up mount namespacing: /nix/store: No such file or directory
matter-server.service: Failed at step NAMESPACE spawning /nix/store/lpk47l0bwrgxzik2vsy46z4nzs2nb7yp-python3.12-python-matter-server-7.0.1/bin/matter-server: No such file or directory

But a comment mentions it is solved differently. I will dig deeper.

Update: this fix works indeed! But only all changes not just switch off dynamic user. Thx!