[systemd-commits] 2 commits - man/systemd-tmpfiles.xml man/tmpfiles.d.xml src/journal src/tmpfiles tmpfiles.d/systemd.conf
Lennart Poettering
lennart at kemper.freedesktop.org
Tue Sep 17 15:03:22 PDT 2013
man/systemd-tmpfiles.xml | 2 +-
man/tmpfiles.d.xml | 11 +++++++++++
src/journal/journald-server.c | 25 ++-----------------------
src/journal/journald-server.h | 3 ---
src/tmpfiles/tmpfiles.c | 39 +++++++++++++++++++++++++++++++--------
tmpfiles.d/systemd.conf | 3 +++
6 files changed, 48 insertions(+), 35 deletions(-)
New commits:
commit 4608af4333d0f7f5f8e3bc632801b04ef07d246d
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Sep 17 16:42:36 2013 -0500
journald: avoid NSS in journald
In order to avoid a deadlock between journald looking up the
"systemd-journal" group name, and nscd (or anyother NSS backing daemon)
logging something back to the journal avoid all NSS in journald the same
way as we avoid it from PID 1.
With this change we rely on the kernel file system logic to adjust the
group of created journal files via the SETGID bit on the journal
directory. To ensure that it is always set, even after the user created
it with a simply "mkdir" on the shell we fix it up via tmpfiles on boot.
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 709fa8b..cc8ce0d 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -180,25 +180,6 @@ static uint64_t available_space(Server *s, bool verbose) {
return s->cached_available_space;
}
-static void server_read_file_gid(Server *s) {
- const char *g = "systemd-journal";
- int r;
-
- assert(s);
-
- if (s->file_gid_valid)
- return;
-
- r = get_group_creds(&g, &s->file_gid);
- if (r < 0)
- log_warning("Failed to resolve '%s' group: %s", g, strerror(-r));
-
- /* if we couldn't read the gid, then it will be 0, but that's
- * fine and we shouldn't try to resolve the group again, so
- * let's just pretend it worked right-away. */
- s->file_gid_valid = true;
-}
-
void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
int r;
#ifdef HAVE_ACL
@@ -209,11 +190,9 @@ void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
assert(f);
- server_read_file_gid(s);
-
- r = fchmod_and_fchown(f->fd, 0640, 0, s->file_gid);
+ r = fchmod(f->fd, 0640);
if (r < 0)
- log_warning("Failed to fix access mode/rights on %s, ignoring: %s", f->path, strerror(-r));
+ log_warning("Failed to fix access mode on %s, ignoring: %s", f->path, strerror(-r));
#ifdef HAVE_ACL
if (uid <= 0)
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index 238fc8c..10e9958 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -97,9 +97,6 @@ typedef struct Server {
usec_t max_file_usec;
usec_t oldest_file_usec;
- gid_t file_gid;
- bool file_gid_valid;
-
LIST_HEAD(StdoutStream, stdout_streams);
unsigned n_stdout_streams;
diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index 4924b4e..c397c71 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -23,3 +23,6 @@ d /run/systemd/machines 0755 root root -
d /run/systemd/shutdown 0755 root root -
F /run/nologin 0644 - - - "System is booting up."
+
+m /var/log/journal 2755 root systemd-journal - -
+m /var/log/journal/%m 2755 root systemd-journal - -
commit 265ffa1e05acf12769a64d0734fd2472237c03c5
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Sep 17 16:33:30 2013 -0500
tmpfiles: add a new "m" line type that adjusts user/group/mode of a file if it exists
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 281ab3c..ba727e1 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -165,7 +165,7 @@
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index 1cf8992..9fc4b7c 100644
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -156,6 +156,17 @@ L /tmp/foobar - - - - /dev/null</programlisting>
</varlistentry>
<varlistentry>
+ <term><varname>m</varname></term>
+ <listitem><para>If the
+ specified file path exists
+ adjust its access mode, group
+ and user to the specified
+ values and reset the SELinux
+ label. If it doesn't exist do
+ nothing.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>x</varname></term>
<listitem><para>Ignore a path
during cleaning. Use this type
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index fb25b77..8122d6a 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -69,6 +69,7 @@ typedef enum ItemType {
CREATE_SYMLINK = 'L',
CREATE_CHAR_DEVICE = 'c',
CREATE_BLOCK_DEVICE = 'b',
+ ADJUST_MODE = 'm',
/* These ones take globs */
IGNORE_PATH = 'x',
@@ -257,8 +258,8 @@ static int dir_cleanup(
dev_t rootdev,
bool mountpoint,
int maxdepth,
- bool keep_this_level)
-{
+ bool keep_this_level) {
+
struct dirent *dent;
struct timespec times[2];
bool deleted = false;
@@ -429,12 +430,16 @@ finish:
return r;
}
-static int item_set_perms(Item *i, const char *path) {
+static int item_set_perms_full(Item *i, const char *path, bool ignore_enoent) {
+ int r;
+
/* not using i->path directly because it may be a glob */
if (i->mode_set)
if (chmod(path, i->mode) < 0) {
- log_error("chmod(%s) failed: %m", path);
- return -errno;
+ if (errno != ENOENT || !ignore_enoent) {
+ log_error("chmod(%s) failed: %m", path);
+ return -errno;
+ }
}
if (i->uid_set || i->gid_set)
@@ -442,11 +447,18 @@ static int item_set_perms(Item *i, const char *path) {
i->uid_set ? i->uid : (uid_t) -1,
i->gid_set ? i->gid : (gid_t) -1) < 0) {
- log_error("chown(%s) failed: %m", path);
- return -errno;
+ if (errno != ENOENT || !ignore_enoent) {
+ log_error("chown(%s) failed: %m", path);
+ return -errno;
+ }
}
- return label_fix(path, false, false);
+ r = label_fix(path, false, false);
+ return r == -ENOENT && ignore_enoent ? 0 : r;
+}
+
+static int item_set_perms(Item *i, const char *path) {
+ return item_set_perms_full(i, path, false);
}
static int write_one_file(Item *i, const char *path) {
@@ -642,6 +654,7 @@ static int create_item(Item *i) {
if (r < 0)
return r;
break;
+
case WRITE_FILE:
r = glob_item(i, write_one_file);
if (r < 0)
@@ -649,6 +662,13 @@ static int create_item(Item *i) {
break;
+ case ADJUST_MODE:
+ r = item_set_perms_full(i, i->path, true);
+ if (r < 0)
+ return r;
+
+ break;
+
case TRUNCATE_DIRECTORY:
case CREATE_DIRECTORY:
@@ -819,6 +839,7 @@ static int remove_item_instance(Item *i, const char *instance) {
case RELABEL_PATH:
case RECURSIVE_RELABEL_PATH:
case WRITE_FILE:
+ case ADJUST_MODE:
break;
case REMOVE_PATH:
@@ -864,6 +885,7 @@ static int remove_item(Item *i) {
case RELABEL_PATH:
case RECURSIVE_RELABEL_PATH:
case WRITE_FILE:
+ case ADJUST_MODE:
break;
case REMOVE_PATH:
@@ -1106,6 +1128,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
case RECURSIVE_REMOVE_PATH:
case RELABEL_PATH:
case RECURSIVE_RELABEL_PATH:
+ case ADJUST_MODE:
break;
case CREATE_SYMLINK:
More information about the systemd-commits
mailing list