[systemd-devel] [PATCH] journald: Make the group that owns journal files configurable

Thu Mar 7 09:07:04 PST 2013

On Thu, 07.03.13 17:38, Gergely Nagy (algernon at balabit.hu) wrote:

> > I don't think this is really desirable. This group is something external
> > packages should be able to make use of and rely on, and it would be
> > suboptimal if you'd have to configure this group everywhere manually.
> 
> The main reason behind the patch is that I already have systems
> installed where logfiles belong to a dedicated group, and when I'll be
> migrating those to systemd & journal, I'd like to keep the groups and
> not introduce yet another one that does the same thing. There's already
> more groups on my systems than I need, I'd like to trim them down, not
> introduce new ones.

Well, but there's no standard group so far that is only and exclusively
used for log file access. There's "adm", but that's rather losely
defined only, and kinda suggests by its name it actually opens up more
than just access to log files?

I mean, we are not adding n or n^2 or 2^n or so groups here. We are
adding just 1. Maybe the better idea is to get "uucp" and "dip" removed
from the current set of default groups (at least we on Fedora still have
these nonsensical groups...)

> > So, I am very conservative on making this configurable, but hey, I can
> > be convinced, so can you make a really good case for this?
> 
> Apart from the case I outlined above, all other reasons I'd have boil
> down to convenience. Similarly how the 'tty' group's ID is configurable,
> the journal group being similarly configurable would make it much easier
> downstream to adapt the journal to an existing environment.

Well, the tty group ID is very special. Normally we wouldn't care about
the ID of the tty, but we require it very very early where NSS is not
available to mount devpts.

I mean, you are comparing apples and oranges here. Saying that there
needs to be a group "foo" and saying that group "foo" must have ID
"4711" is two very different things. We only do ther former, and make
the latter configurable, because after all the entire user database
exists in order to allow people to forget about the actual numer IDs
assigned to the names.

The group name is supposed to be an identifier, that helps people to
know what things mean and by making this configruable you kinda break
this point...

> I mean, if I have to add the users I have in the adm group to
> systemd-journal aswell, that means adding the group to LDAP, then
> updating the users too... ick. Too much work for no real gain for me.

This is a misconception. The "make install" call will actually set an
ACL on the journal dir, to grant "adm" and "wheel" read access to all
journal files, existing and future. This is even documented in
systemd-journald.service(8). We recommend all distributions to set up
these ACLs the same way.

So, to underline this: "adm" continues to have access to the journal
files by default. "systemd-journal" is just an additional group, that
happens to own the files, and that is more minimal than wheel, adm or
any other group.

Sorry, still not convinced...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.