[systemd-devel] [PATCH] journal: grant systemd-journal group permission
WaLyong Cho
walyong.cho at samsung.com
Fri Aug 29 06:03:48 PDT 2014
On 08/27/2014 02:55 AM, Lennart Poettering wrote:
> On Tue, 26.08.14 15:43, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
>> There is no Bofore= or After= dependencies between
>> systemd-journald.service and systemd-tmpfiles-setup.service. So if both
>> "/run/log/journal" and "/var/log/journal" does not exist then those can
>> be make as root:root and also its ids directory and journal files. To
>> make sure, do chown systemd-journal group to journal directories and
>> files.
>
> Hmm? /run/log/journal will be recursively updated, and /var/log/journal
> is not created by journald ever, but only by tmpfiles, which uses g+s to
> ensure all files that will be created have the right owner from the
> beginning.
>
I hope you test like me. Set *Storage=persistent* in journald.conf and
remove(back it up to other) "/var/log/journal" and restart.
Then maybe you can see like me:
[walyong at laptop ~]$ ls -alh
/var/log/journal/9017c5267dfb4ec1869084165173ecb6/
total 16M
drwxr-sr-x 1 root systemd-journal 62 Aug 29 21:48 .
drwxr-sr-x 1 root systemd-journal 64 Aug 29 21:47 ..
-rw-r----- 1 root root 8.0M Aug 29 21:53 system.journal
-rw-r-----+ 1 root root 8.0M Aug 29 21:53 user-1000.journal
[walyong at laptop system]$ systemctl status systemd-tmpfiles-setup.service
● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
Loaded: loaded
(/usr/lib/systemd/system/systemd-tmpfiles-setup.service; static)
Active: active (exited) since Fri 2014-08-29 21:48:43 KST; 6min ago
Docs: man:tmpfiles.d(5)
man:systemd-tmpfiles(8)
Process: 482 ExecStart=/usr/bin/systemd-tmpfiles --create --remove
--boot --exclude-prefix=/dev (code=exited, status=0/SUCCESS)
Main PID: 482 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/systemd-tmpfiles-setup.service
After this, we can NOT read system.journal until journal file is
rotated(newly generated system.journal will have root:systemd-journal
permission) even if HAVE systemd-journal group permission.
Am I wrong?
>> +static int chown_group_systemd_journal(const char *path) {
>> + int r;
>> + gid_t gid;
>> + _cleanup_free_ char *journal_group = NULL;
>> +
>> + r = in_group("systemd-journal");
>> + if (r < 0)
>> + return r;
>> +
>> + r = access(path, F_OK);
>> + if (r < 0)
>> + return -errno;
>> +
>> + r = asprintf(&journal_group, "systemd-journal");
>> + if (r < 0)
>> + return -ENOMEM;
>> +
>> + r = get_group_creds((const char **)&journal_group, &gid);
>> + if (r < 0)
>> + return r;
>
> We cannot do this. This internally invokes getpwent() which is an NSS
> calls. NSS calls might end up being IPC calls to some external daemon,
> which might want to log, back into journald. This hence means we'd have
> a cyclic dependency.
>
> journald is not allowed to *ever* do NSS calls (and neither is PID 1
> actually). We must apply the ownership from the outside via tmpfiles or
> so hence.
>
> Lennart
>
WaLyong
More information about the systemd-devel
mailing list