[systemd-devel] [PATCH] journald: Make the group that owns journal files configurable
Gergely Nagy
algernon at balabit.hu
Thu Mar 7 07:41:57 PST 2013
While a separate group to own the journal files is desirable, which
group it is should be tweakable (to the point where it can be set to
an existing group, like adm, for systems where that makes sense).
To this end, this patch introduces a --with-journal-group=GROUP option
to configure, and uses the supplied value (or systemd-journal, if none
specified) as the dedicated group.
Signed-off-by: Gergely Nagy <algernon at balabit.hu>
---
configure.ac | 8 ++++++++
man/systemd-journald.service.xml | 7 ++++---
src/journal/journalctl.c | 12 ++++++------
src/journal/journald-server.c | 2 +-
4 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index 43b8225..47527da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -793,6 +793,14 @@ AC_ARG_WITH([tty-gid],
[AC_DEFINE_UNQUOTED(TTY_GID, [$withval], [GID of the 'tty' group])],
[])
+AC_ARG_WITH([journal-group],
+ [AS_HELP_STRING([--with-journal-group=GROUP],
+ [Specify the group systemd-journal files should belong to])],
+ [journal_group="$withval"],
+ [journal_group="systemd-journal"])
+
+AC_DEFINE_UNQUOTED(JOURNAL_GROUP, ["$journal_group"], [Group of journal files should belong to])]
+
AC_ARG_WITH([dbuspolicydir],
AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]),
[],
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index bc32c8e..5d6c112 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -161,9 +161,10 @@
<refsect1>
<title>Access Control</title>
- <para>Journal files are by default owned and readable
- by the <literal>systemd-journal</literal> system group
- (but not writable). Adding a user to this group thus
+ <para>Unless configured differently, journal files are
+ by default owned and readable by the
+ <literal>systemd-journal</literal> system group (but
+ not writable). Adding a user to this group thus
enables her/him to read the journal files.</para>
<para>By default, each logged in user will get her/his
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index c90fecd..0171859 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -870,16 +870,16 @@ static int verify(sd_journal *j) {
static int access_check(void) {
#ifdef HAVE_ACL
- if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
- log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
+ if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0) {
+ log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group '%s' can always see messages.", JOURNAL_GROUP);
return -EACCES;
}
- if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
- log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
+ if (!arg_quiet && geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0)
+ log_warning("Showing user generated messages only. Users in the group '%s' can see all messages. Pass -q to turn this notice off.", JOURNAL_GROUP);
#else
- if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
- log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");
+ if (geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0) {
+ log_error("No access to messages. Only users in the group '%s' can see messages.", JOURNAL_GROUP);
return -EACCES;
}
#endif
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index ac565c7..a933662 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) {
}
static void server_read_file_gid(Server *s) {
- const char *g = "systemd-journal";
+ const char *g = JOURNAL_GROUP;
int r;
assert(s);
--
1.7.10.4
More information about the systemd-devel
mailing list