[systemd-devel] [PATCH] Fix permissions on new journal files

Tue Mar 25 08:41:50 PDT 2014

On Tue, Mar 25, 2014 at 01:40:18AM +0100, Lennart Poettering wrote:
> On Fri, 14.03.14 03:28, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> 
> > 
> > On Fri, Mar 14, 2014 at 12:07:35AM +0000, Greg KH wrote:
> > > When starting up journald on a new system, set the proper permissions on
> > > the system.journal file, not only on the journal directory.
> > > 
> > > diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
> > > index 7c6d6b9099b9..1aeb5e40f1ee 100644
> > > --- a/tmpfiles.d/systemd.conf
> > > +++ b/tmpfiles.d/systemd.conf
> > > @@ -24,5 +24,7 @@ d /run/systemd/shutdown 0755 root root -
> > >  
> > >  m /var/log/journal 2755 root systemd-journal - -
> > >  m /var/log/journal/%m 2755 root systemd-journal - -
> > > +m /var/log/journal/%m/system.journal 2755 root systemd-journal - -
> > >  m /run/log/journal 2755 root systemd-journal - -
> > >  m /run/log/journal/%m 2755 root systemd-journal - -
> > > +m /run/log/journal/%m/system.journal 2755 root systemd-journal - -
> > This is just a kludge... Why is system.journal to be treated differently?
> > It seems that the proper fix is to set the mode on the directory properly
> > during installation.
> 
> Precisely, packaging script are expected to properly chown and setfacl
> the directory on install. From the .spec file in Fedora:
> 
>     # Make sure new journal files will be owned by the "systemd-journal" group
>     chgrp systemd-journal /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2> /dev/null` >/dev/null 2>&1 || :
>     chmod g+s /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2> /dev/null` >/dev/null 2>&1 || :
> 
>     # Apply ACL to the journal directory
>     setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ >/dev/null 2>&1 || :
> 
> Or something similar. 
> 
> Unfortunately we never documented this explicitly anywhere (for example
> in some INSTALL document), and we probably should. So far people had to
> figure thisout by looking at the NEWS file closely...

Ok, thanks, there's probably a bug in the ebuild I'm using to lay down
the journal files on the system, I'll dig into it some more later this
week...

greg k-h