[systemd-commits] 2 commits - Makefile.am README TODO man/systemd-journald.service.xml src/journal
Lennart Poettering
lennart at kemper.freedesktop.org
Tue Mar 5 09:59:24 PST 2013
Makefile.am | 9 ++++++++-
README | 13 +++++++++++++
TODO | 10 ++--------
man/systemd-journald.service.xml | 35 ++++++++++++++++++++++++++++++++++-
src/journal/journalctl.c | 12 ++++++------
src/journal/journald-server.c | 6 +++---
6 files changed, 66 insertions(+), 19 deletions(-)
New commits:
commit f47ec8ebb3858553dec870e1c596e39525f46360
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Mar 5 18:59:14 2013 +0100
update TODO
diff --git a/TODO b/TODO
index cef02e6..5ff5707 100644
--- a/TODO
+++ b/TODO
@@ -20,8 +20,6 @@ Fedora 19:
* make anaconda write timeout=0 for encrypted devices
-* make sure pkexec works fine with pam_systemd works fine with audit=0
-
* create /var/log/journal/
* external: maybe it is time to patch procps so that "ps" links to
@@ -36,8 +34,6 @@ Fedora 19:
* journal is not closed properly at shutdown when run in a container?
-* introduce new "journal" group in place of adm?
-
* localed:
- localectl: add listing support for X11 keymaps, by parsing /usr/share/X11/xkb/rules/xorg.lst
- localectl: support new converted x11→console keymaps
@@ -175,21 +171,19 @@ Features:
- maybe add API to send pairs of iovecs via sd_journal_send
- journal: when writing journal auto-rotate if time jumps backwards
- gatewayd: should run under its own UID
- - journal: add a setgid "adm" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
+ - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
- journactl: support negative filtering, i.e. FOOBAR!="waldo",
and !FOOBAR for events without FOOBAR.
- journal: when rotating, copy over old acls/access mode
- - journal: document why we do not give ownership to journal files to the user that created them but use FS ACLs for that
- journal: send out marker messages every now and then, and immediately sync with fdatasync() afterwards, in order to have hourly guaranteed syncs.
- journal: when we haven't written anything in a while, sync to disk and mark file as offline, in order to be more often than not in a clean state
- journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
- journal: find a way to allow dropping history early, based on priority, other rules
- journal: When used on NFS, check payload hashes
- journal: When used on NFS make sure wake up sd_journal_wait() every 2s, to handle missing inotify
- - document that people can use file system ACLs to manage access to journal files, with example
- Introduce journalctl -b <nr> to show journal messages of a previous boot
- journald: check whether it is OK if the client can still modify delivered journal entries
- - journal live copy, based on libneon (client) and libmicrohttpd
+ - journal live copy, based on libneon (client) and libmicrohttpd (server)
- journald: add kernel cmdline option to disable ratelimiting for debug purposes
- refuse taking lower-case variable names in sd_journal_send() and friends.
- journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
commit a24c64f03f9c5c0304451d8542fee853187a5168
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Mar 5 18:53:21 2013 +0100
journald: introduce new "systemd-journal" group and make it own the journal files
Previously all journal files were owned by "adm". In order to allow
specific users to read the journal files without granting it access to
the full "adm" powers, introduce a new specific group for this.
"systemd-journal" has to be created by the packaging scripts manually at
installation time. It's a good idea to assign a static UID/GID to this
group, since /var/log/journal might be shared across machines via NFS.
This commit also grants read access to the journal files by default to
members of the "wheel" and "adm" groups via file system ACLs, since
these "almost-root" groups should be able to see what's going on on the
system. These ACLs are created by "make install". Packagers probably
need to duplicate this logic in their postinst scripts.
This also adds documentation how to grant access to the journal to
additional users or groups via fs ACLs.
diff --git a/Makefile.am b/Makefile.am
index 3d3f265..13211c4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2563,9 +2563,16 @@ libsystemd_journal_internal_la_LIBADD += \
$(GCRYPT_LIBS)
endif
-# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
+# move lib from $(libdir) to $(rootlibdir) and update devel link, if
+# needed. Also, grant read access to new journal files to members of
+# "adm" and "wheel".
libsystemd-journal-install-hook:
libname=libsystemd-journal.so && $(move-to-rootlibdir)
+ $(MKDIR_P) $(DESTDIR)/var/log/journal
+ -chown 0:0 $(DESTDIR)/var/log/journal
+ -chmod 755 $(DESTDIR)/var/log/journal
+ -setfacl -nm g:adm:rx,d:g:adm:rx $(DESTDIR)/var/log/journal/
+ -setfacl -nm g:wheel:rx,d:g:wheel:rx $(DESTDIR)/var/log/journal/
libsystemd-journal-uninstall-hook:
rm -f $(DESTDIR)$(rootlibdir)/libsystemd-journal.so*
diff --git a/README b/README
index d8b1b12..300a4cf 100644
--- a/README
+++ b/README
@@ -100,6 +100,19 @@ REQUIREMENTS:
being 'html' or 'latexpdf'. If using DESTDIR for installation,
pass the same DESTDIR to 'make sphinx-html' invocation.
+USERS AND GROUPS:
+ During runtime the journal daemon requires the
+ "system-journal" system group to exist. New journal files will
+ be readable by this group (but not writable) which may be used
+ to grant specific users read access.
+
+ It is also recommended to grant read access to all journal
+ files to the system groups "wheel" and "adm" with a command
+ like the following in the post installation script of the
+ package:
+
+ # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
WARNINGS:
systemd will warn you during boot if /etc/mtab is not a
symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 4969ab1..bc32c8e 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -158,6 +158,38 @@
</variablelist>
</refsect1>
+ <refsect1>
+ <title>Access Control</title>
+
+ <para>Journal files are by default owned and readable
+ by the <literal>systemd-journal</literal> system group
+ (but not writable). Adding a user to this group thus
+ enables her/him to read the journal files.</para>
+
+ <para>By default, each logged in user will get her/his
+ own set of journal files in
+ <filename>/var/log/journal/</filename>. These files
+ will not be owned by the user however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.</para>
+
+ <para>Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ <literal>wheel</literal> and <literal>adm</literal>
+ system groups with a command such as the
+ following:</para>
+
+ <programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting>
+
+ <para>Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ <filename>/var/log/journal/</filename>
+ directory.</para>
+ </refsect1>
<refsect1>
<title>See Also</title>
@@ -166,7 +198,8 @@
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index d898ae7..cb93fea 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -870,16 +870,16 @@ static int verify(sd_journal *j) {
static int access_check(void) {
#ifdef HAVE_ACL
- if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) {
- log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages.");
+ if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
+ log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
return -EACCES;
}
- if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
- log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off.");
+ if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
+ log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
#else
- if (geteuid() != 0 && in_group("adm") <= 0) {
- log_error("No access to messages. Only users in the group 'adm' can see messages.");
+ if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
+ log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");
return -EACCES;
}
#endif
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 654f7ac..ac565c7 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) {
}
static void server_read_file_gid(Server *s) {
- const char *adm = "adm";
+ const char *g = "systemd-journal";
int r;
assert(s);
@@ -182,9 +182,9 @@ static void server_read_file_gid(Server *s) {
if (s->file_gid_valid)
return;
- r = get_group_creds(&adm, &s->file_gid);
+ r = get_group_creds(&g, &s->file_gid);
if (r < 0)
- log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+ log_warning("Failed to resolve '%s' group: %s", g, strerror(-r));
/* if we couldn't read the gid, then it will be 0, but that's
* fine and we shouldn't try to resolve the group again, so
More information about the systemd-commits
mailing list