[systemd-devel] [PATCH] Fix permissions on new journal files
Lennart Poettering
lennart at poettering.net
Mon Mar 24 17:40:18 PDT 2014
On Fri, 14.03.14 03:28, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
>
> On Fri, Mar 14, 2014 at 12:07:35AM +0000, Greg KH wrote:
> > When starting up journald on a new system, set the proper permissions on
> > the system.journal file, not only on the journal directory.
> >
> > diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
> > index 7c6d6b9099b9..1aeb5e40f1ee 100644
> > --- a/tmpfiles.d/systemd.conf
> > +++ b/tmpfiles.d/systemd.conf
> > @@ -24,5 +24,7 @@ d /run/systemd/shutdown 0755 root root -
> >
> > m /var/log/journal 2755 root systemd-journal - -
> > m /var/log/journal/%m 2755 root systemd-journal - -
> > +m /var/log/journal/%m/system.journal 2755 root systemd-journal - -
> > m /run/log/journal 2755 root systemd-journal - -
> > m /run/log/journal/%m 2755 root systemd-journal - -
> > +m /run/log/journal/%m/system.journal 2755 root systemd-journal - -
> This is just a kludge... Why is system.journal to be treated differently?
> It seems that the proper fix is to set the mode on the directory properly
> during installation.
Precisely, packaging script are expected to properly chown and setfacl
the directory on install. From the .spec file in Fedora:
# Make sure new journal files will be owned by the "systemd-journal" group
chgrp systemd-journal /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2> /dev/null` >/dev/null 2>&1 || :
chmod g+s /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2> /dev/null` >/dev/null 2>&1 || :
# Apply ACL to the journal directory
setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ >/dev/null 2>&1 || :
Or something similar.
Unfortunately we never documented this explicitly anywhere (for example
in some INSTALL document), and we probably should. So far people had to
figure thisout by looking at the NEWS file closely...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list