[systemd-devel] systemd 211 journal getting created with different permissions

Tue Mar 11 23:24:35 PDT 2014

On Tue, Mar 11, 2014 at 11:08:59PM -0700, Greg KH wrote:
> On Tue, Mar 11, 2014 at 10:44:17PM -0700, Greg KH wrote:
> > On Tue, Mar 11, 2014 at 09:41:50PM -0700, Greg KH wrote:
> > > On Tue, Mar 11, 2014 at 08:38:58PM -0700, Greg KH wrote:
> > > > On Wed, Mar 12, 2014 at 04:21:55AM +0200, Mantas Mikulėnas wrote:
> > > > > On Wed, Mar 12, 2014 at 3:46 AM, Greg KH <gregkh at linuxfoundation.org> wrote:
> > > > > > Hi all,
> > > > > >
> > > > > > With systemd 211, a new journal file is getting created with permissions
> > > > > > of root:root instead of root:systemd-journal like previously (210 and
> > > > > > prior).
> > > > > >
> > > > > > I looked at the git log and can't see anything obvious that would have
> > > > > > caused this.
> > > > > >
> > > > > > Is this intentional?  Or something on my end with my system's
> > > > > > configuration?
> > > > > 
> > > > > Normally the journal files just inherit the group of /var/log/journal,
> > > > > which has the setgid bit (and the correct group) set by
> > > > > /usr/lib/tmpfiles.d/systemd.conf.
> > > > 
> > > > I thought so, and this worked on 210, and the permissions of
> > > > /var/log/journal/ is correct:
> > > > 
> > > > drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
> > > > 
> > > > > If you ran `make install`, however, it would chown /var/log/journal to
> > > > > 0:0 until the next time systemd-tmpfiles ran.
> > > > 
> > > > This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
> > > > worked, so what is different here?
> > > 
> > > Apologies, I can now reproduce this on systemd 210, so this isn't a 211
> > > issue from what I can tell just yet, sorry for the noise.
> > 
> > In looking at this further, the /usr/lib/tmpfiles.d/systemd.conf will
> > not change the permissions on the journald file, only the directory:
> > 	m /var/log/journal 2755 root systemd-journal - -
> > 	m /var/log/journal/%m 2755 root systemd-journal - -
> > 	m /run/log/journal 2755 root systemd-journal - -
> > 	m /run/log/journal/%m 2755 root systemd-journal - -
> > 
> > So what is supposed to set the permissions on the journal file(s) that
> > live in /var/log/journal/%m/  ?
> > 
> > Let me do a build with 207 and see how that handles this issue...
> 
> Ah, found it.
> 
> Commit 4608af4333d0f7f5f8e3bc632801b04ef07d246d is the issue.
> 
> We moved from handling the mode internally, in 207, to using the
> tmpfiles.d infrastructure in 208.  On systems that previously were
> working on 207, if you upgrade, the permissions are set properly from
> 207.
> 
> But, for 208, this changed :(
> 
> So, what's the odds that file globbing works with tmpfile.d, time to
> rebuild...

It works well enough, the following patch fixes the issue for me:

diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index 7c6d6b9099b9..1aeb5e40f1ee 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -24,5 +24,7 @@ d /run/systemd/shutdown 0755 root root -
 
 m /var/log/journal 2755 root systemd-journal - -
 m /var/log/journal/%m 2755 root systemd-journal - -
+m /var/log/journal/%m/system.journal 2755 root systemd-journal - -
 m /run/log/journal 2755 root systemd-journal - -
 m /run/log/journal/%m 2755 root systemd-journal - -
+m /run/log/journal/%m/system.journal 2755 root systemd-journal - -
