[systemd-devel] [PATCH] journal: grant systemd-journal group permission
Lennart Poettering
lennart at poettering.net
Tue Aug 26 10:55:45 PDT 2014
On Tue, 26.08.14 15:43, WaLyong Cho (walyong.cho at samsung.com) wrote:
> There is no Bofore= or After= dependencies between
> systemd-journald.service and systemd-tmpfiles-setup.service. So if both
> "/run/log/journal" and "/var/log/journal" does not exist then those can
> be make as root:root and also its ids directory and journal files. To
> make sure, do chown systemd-journal group to journal directories and
> files.
Hmm? /run/log/journal will be recursively updated, and /var/log/journal
is not created by journald ever, but only by tmpfiles, which uses g+s to
ensure all files that will be created have the right owner from the
beginning.
> +static int chown_group_systemd_journal(const char *path) {
> + int r;
> + gid_t gid;
> + _cleanup_free_ char *journal_group = NULL;
> +
> + r = in_group("systemd-journal");
> + if (r < 0)
> + return r;
> +
> + r = access(path, F_OK);
> + if (r < 0)
> + return -errno;
> +
> + r = asprintf(&journal_group, "systemd-journal");
> + if (r < 0)
> + return -ENOMEM;
> +
> + r = get_group_creds((const char **)&journal_group, &gid);
> + if (r < 0)
> + return r;
We cannot do this. This internally invokes getpwent() which is an NSS
calls. NSS calls might end up being IPC calls to some external daemon,
which might want to log, back into journald. This hence means we'd have
a cyclic dependency.
journald is not allowed to *ever* do NSS calls (and neither is PID 1
actually). We must apply the ownership from the outside via tmpfiles or
so hence.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list