Permission denied when reading passwordFile

I am trying to setup the freshrss service.
This is my freshrss configuration:

  services.freshrss = {
    enable = true;
    baseUrl = "http://home.example.org";
    defaultUser = "strike";
    virtualHost = "home.example.org";
    passwordFile = "/home/strike/passFiles/freshrss-user";
  };

When running nixos-rebuild switch this is the output from the freshrss-config.service:

jan 14 20:51:08 nixos systemd[1]: freshrss-config.service: Deactivated successfully.
jan 14 20:51:08 nixos systemd[1]: Stopped Set up the state directory for FreshRSS before use.
jan 14 20:51:09 nixos systemd[1]: Starting Set up the state directory for FreshRSS before use...
jan 14 20:51:09 nixos freshrss-config-start[77399]: Warning: scandir(/nix/store/j9vpfzi2mwdkkjpfki9zmf2vhcc3hkc4-freshrss-extensions/share/freshrss//extensions): Failed to open directory: No such file or directory in /nix/store/ah37777j0bkgm7wrlhijyicawg1f7n28-FreshRSS-1.24.3/lib>
jan 14 20:51:09 nixos freshrss-config-start[77399]: Warning: scandir(): (errno 2): No such file or directory in /nix/store/ah37777j0bkgm7wrlhijyicawg1f7n28-FreshRSS-1.24.3/lib/Minz/ExtensionManager.php on line 127
jan 14 20:51:09 nixos freshrss-config-start[77399]: Reconfiguring FreshRSS…
jan 14 20:51:09 nixos freshrss-config-start[77400]: cat: /home/strike/passFiles/freshrss-user: Permission denied
jan 14 20:51:09 nixos freshrss-config-start[77401]: Warning: scandir(/nix/store/j9vpfzi2mwdkkjpfki9zmf2vhcc3hkc4-freshrss-extensions/share/freshrss//extensions): Failed to open directory: No such file or directory in /nix/store/ah37777j0bkgm7wrlhijyicawg1f7n28-FreshRSS-1.24.3/lib>
jan 14 20:51:09 nixos freshrss-config-start[77401]: Warning: scandir(): (errno 2): No such file or directory in /nix/store/ah37777j0bkgm7wrlhijyicawg1f7n28-FreshRSS-1.24.3/lib/Minz/ExtensionManager.php on line 127
jan 14 20:51:09 nixos freshrss-config-start[77401]: FreshRSS updating user “jfreakdk”…
jan 14 20:51:09 nixos freshrss-config-start[77401]: â„ą Remember to re-apply the appropriate access rights, such as:        sudo cli/access-permissions.sh
jan 14 20:51:09 nixos systemd[1]: Finished Set up the state directory for FreshRSS before use.

I noticed this error: cat: /home/strike/passFiles/freshrss-user: Permission denied

The owner of that file is freshrss (the user that runs the service):

$ ls -l /home/strike/passFiles/
total 8
-rw------- 1 freshrss freshrss 25 14 jan 19:36 freshrss-user

Why is the script getting permission denied when trying to read the passwordfile?

Because the the user freshrss can’t access /home/strike

1 Like

i took a quick peak and it looks like the module hasn’t been ported to use LoadCredential yet, which would resolve your issue

you could file an issue on github reporting this

Even so, LoadCredential could only use secrets located in a place visible to the service user. Either you must move it out of $HOME or change the service user.

There is a missmatch in what you try.
defaultUser sets the default user in the freshrss installation, so the login user in the application.

But the os user that is executing the service is defined by the user option.
So if you want to run the service as strike user, you need to change that option.
Or otherwise you need to make the file /home/strike/passFiles/freshrss-user accessible for the user freshrss.

So basically what waffle8946 said.

More more context in the implementation see

Aside that it could be possible that hardening options will prevent reading that path, i havent tested that (as i am not using freshrss). that you need to try out.
Best would be for the module quality to port to LoadCredentials (like already mentioned)

no, that’s one of the primary points of why LoadCredential was developed… the service user doesn’t need access so that DynamicUser services can work

now you know how awesome it is! :rocket:

i believe LoadCredential is the optimal solution for this module

1 Like

Thank you for your help and input.

Moving the files out of the home folder got me past the Permission denied error.