[systemd-devel] [PATCH] journal: grant systemd-journal group permission
WaLyong Cho
walyong.cho at samsung.com
Mon Aug 25 23:43:17 PDT 2014
There is no Bofore= or After= dependencies between
systemd-journald.service and systemd-tmpfiles-setup.service. So if both
"/run/log/journal" and "/var/log/journal" does not exist then those can
be make as root:root and also its ids directory and journal files. To
make sure, do chown systemd-journal group to journal directories and
files.
---
src/journal/journald-server.c | 59 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 50 insertions(+), 9 deletions(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 01da38b..9934105 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -191,6 +191,34 @@ static uint64_t available_space(Server *s, bool verbose) {
return s->cached_available_space;
}
+static int chown_group_systemd_journal(const char *path) {
+ int r;
+ gid_t gid;
+ _cleanup_free_ char *journal_group = NULL;
+
+ r = in_group("systemd-journal");
+ if (r < 0)
+ return r;
+
+ r = access(path, F_OK);
+ if (r < 0)
+ return -errno;
+
+ r = asprintf(&journal_group, "systemd-journal");
+ if (r < 0)
+ return -ENOMEM;
+
+ r = get_group_creds((const char **)&journal_group, &gid);
+ if (r < 0)
+ return r;
+
+ r = chown(path, getuid(), gid);
+ if (r < 0)
+ return -errno;
+
+ return 0;
+}
+
void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
int r;
#ifdef HAVE_ACL
@@ -205,6 +233,10 @@ void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
if (r < 0)
log_warning("Failed to fix access mode on %s, ignoring: %s", f->path, strerror(-r));
+ r = chown_group_systemd_journal(f->path);
+ if (r < 0)
+ log_warning("Failed to chown group on %s, ignoring: %s", f->path, strerror(-r));
+
#ifdef HAVE_ACL
if (uid <= SYSTEM_UID_MAX)
return;
@@ -918,7 +950,6 @@ finish:
dispatch_message_real(s, iovec, n, m, ucred, tv, label, label_len, unit_id, priority, object_pid);
}
-
static int system_journal_open(Server *s) {
int r;
char *fn;
@@ -943,11 +974,14 @@ static int system_journal_open(Server *s) {
* If in persistent mode: create /var/log/journal and
* the machine path */
- if (s->storage == STORAGE_PERSISTENT)
+ if (s->storage == STORAGE_PERSISTENT) {
(void) mkdir("/var/log/journal/", 0755);
+ (void) chown_group_systemd_journal("/var/log/journal/");
+ }
fn = strappenda("/var/log/journal/", ids);
(void) mkdir(fn, 0755);
+ (void) chown_group_systemd_journal(fn);
fn = strappenda(fn, "/system.journal");
r = journal_file_open_reliably(fn, O_RDWR|O_CREAT, 0640, s->compress, s->seal, &s->system_metrics, s->mmap, NULL, &s->system_journal);
@@ -965,7 +999,20 @@ static int system_journal_open(Server *s) {
if (!s->runtime_journal &&
(s->storage != STORAGE_NONE)) {
- fn = strjoin("/run/log/journal/", ids, "/system.journal", NULL);
+ fn = strappenda("/run/log/journal/", ids);
+ if (!fn)
+ return -ENOMEM;
+
+ r = access(fn, F_OK);
+ if (r < 0 && errno == ENOENT) {
+ (void) mkdir("/run/log", 0755);
+ (void) mkdir("/run/log/journal", 0755);
+ (void) chown_group_systemd_journal("/run/log/journal/");
+ (void) mkdir(fn, 0755);
+ (void) chown_group_systemd_journal(fn);
+ }
+
+ fn = strappenda(fn, "/system.journal");
if (!fn)
return -ENOMEM;
@@ -976,7 +1023,6 @@ static int system_journal_open(Server *s) {
* it into the system journal */
r = journal_file_open(fn, O_RDWR, 0640, s->compress, false, &s->runtime_metrics, s->mmap, NULL, &s->runtime_journal);
- free(fn);
if (r < 0) {
if (r != -ENOENT)
@@ -990,12 +1036,7 @@ static int system_journal_open(Server *s) {
/* OK, we really need the runtime journal, so create
* it if necessary. */
- (void) mkdir("/run/log", 0755);
- (void) mkdir("/run/log/journal", 0755);
- (void) mkdir_parents(fn, 0750);
-
r = journal_file_open_reliably(fn, O_RDWR|O_CREAT, 0640, s->compress, false, &s->runtime_metrics, s->mmap, NULL, &s->runtime_journal);
- free(fn);
if (r < 0) {
log_error("Failed to open runtime journal: %s", strerror(-r));
--
1.9.3
More information about the systemd-devel
mailing list