[systemd-commits] README units/systemd-journal-gatewayd.service.in

Lennart Poettering lennart at kemper.freedesktop.org
Tue Mar 5 10:16:10 PST 2013 

 README                                    |   16 +++++++++++-----
 units/systemd-journal-gatewayd.service.in |    3 +++
 2 files changed, 14 insertions(+), 5 deletions(-)

New commits:
commit 37495eede95d3212b797c8459d7ed6258fb23c6a
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Mar 5 19:15:31 2013 +0100

    journal: make gatewayd run under its own user ID

diff --git a/README b/README
index 889c687..b6e347e 100644
--- a/README
+++ b/README
@@ -101,11 +101,12 @@ REQUIREMENTS:
         pass the same DESTDIR to 'make sphinx-html' invocation.
 
 USERS AND GROUPS:
-        Default udev rules use the following standard system group names,\
-        which need to be resolvable by getgrnam() at any time, even in the
-        very early boot stages, where no other databases and network is
-        available:
-          tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
+        Default udev rules use the following standard system group
+        names, which need to be resolvable by getgrnam() at any time,
+        even in the very early boot stages, where no other databases
+        and network are available:
+
+        tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
 
         During runtime the journal daemon requires the
         "system-journal" system group to exist. New journal files will
@@ -119,6 +120,11 @@ USERS AND GROUPS:
 
         # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
 
+        The journal gateway daemon requires the
+        "system-journal-gateway" system user and group to
+        exist. During execution this network facing service will drop
+        privileges and assume this uid/gid for security reasons.
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index c3b5c72..a01ce8d 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -11,6 +11,9 @@ Requires=systemd-journal-gatewayd.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+User=systemd-journal-gateway
+Group=systemd-journal-gateway
+SupplementaryGroups=systemd-journal
 
 [Install]
 Also=systemd-journal-gatewayd.socket

More information about the systemd-commits mailing list