[systemd-devel] [PATCH] Improve log notice when unprivileged users run journalctl executable (reformatted)

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Sun Mar 8 07:31:25 PDT 2015 

On Sun, Mar 08, 2015 at 09:33:24AM +0100, Gautier Pelloux-Prayer wrote:
> Hi list,
> 
> Currently, when user runs journalctl without extra privileges, output
> is:
> 
>     No journal files were found.
> 
> This patch modifies this feedback by giving permission-hint to the user:
> 
>     No journal files were found. Users in the 'systemd-journal' group
> may access more messages.
> 
> It should help new comers to understand that some extra privileges can
> be useful to retrieve logs.
The code in access_check() tries to distinguish the case where
no files are resent and where the user is not allowed to access them.
A message similar to what you are proposing appears just a few lines
down.

If you're seeing this message journal files being present, then it
means that the check is somehow wrong and should be fixed.

BTW., I now noticed the this logic needs to be updated for recent
changes to ACL handling. If you do any changes, be sure to pull the
latest git.

Zbyszek

> 
> /Gautier
> 
> diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> index 56435ff..7f4c160 100644
> --- a/src/journal/journalctl.c
> +++ b/src/journal/journalctl.c
> @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
>          Iterator it;
>          void *code;
>          int r = 0;
> -
> +        bool is_privileged = (geteuid() == 0) ||
> (in_group("systemd-journal") > 0);
>          assert(j);
>  
>          if (set_isempty(j->errors)) {
>                  if (ordered_hashmap_isempty(j->files))
> -                        log_notice("No journal files were found.");
> +                        log_notice("No journal files were found.%s",
> +                          is_privileged?"":" Users in the
> 'systemd-journal' group may access more messages.");
>                  return 0;
>          }
>  
> @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
>  #ifdef HAVE_ACL
>                  /* If /var/log/journal doesn't even exist,
>                   * unprivileged users have no access at all */
> -                if (access("/var/log/journal", F_OK) < 0 &&
> -                    geteuid() != 0 &&
> -                    in_group("systemd-journal") <= 0) {
> +                if (access("/var/log/journal", F_OK) < 0 && !
> is_privileged) {
>                          log_error("Unprivileged users cannot access
> messages, unless persistent log storage is\n"
>                                    "enabled. Users in the
> 'systemd-journal' group may always access messages.");
>                          return -EACCES;
> @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
>                                  return r;
>                  }
>  #else
> -                if (geteuid() != 0 && in_group("systemd-journal") <= 0)
> {
> +                if (!is_privileged) {
>                          log_error("Unprivileged users cannot access
> messages. Users in the 'systemd-journal' group\n"
>                                    "group may access messages.");
>                          return -EACCES;
> 
> 

> From 0f973d231d057866d8626e680b80bded24103af0 Mon Sep 17 00:00:00 2001
> From: Gautier Pelloux-Prayer <gautier+git at damsy.net>
> Date: Sun, 11 Jan 2015 12:00:18 +0100
> Subject: [PATCH] Improve log notice when unprivileged users run journalctl
>  executable
> 
> ---
>  src/journal/journalctl.c | 11 +++++------
>  1 file changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> index 56435ff..7f4c160 100644
> --- a/src/journal/journalctl.c
> +++ b/src/journal/journalctl.c
> @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
>          Iterator it;
>          void *code;
>          int r = 0;
> -
> +        bool is_privileged = (geteuid() == 0) || (in_group("systemd-journal") > 0);
>          assert(j);
>  
>          if (set_isempty(j->errors)) {
>                  if (ordered_hashmap_isempty(j->files))
> -                        log_notice("No journal files were found.");
> +                        log_notice("No journal files were found.%s",
> +                          is_privileged?"":" Users in the 'systemd-journal' group may access more messages.");
>                  return 0;
>          }
>  
> @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
>  #ifdef HAVE_ACL
>                  /* If /var/log/journal doesn't even exist,
>                   * unprivileged users have no access at all */
> -                if (access("/var/log/journal", F_OK) < 0 &&
> -                    geteuid() != 0 &&
> -                    in_group("systemd-journal") <= 0) {
> +                if (access("/var/log/journal", F_OK) < 0 && !is_privileged) {
>                          log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
>                                    "enabled. Users in the 'systemd-journal' group may always access messages.");
>                          return -EACCES;
> @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
>                                  return r;
>                  }
>  #else
> -                if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
> +                if (!is_privileged) {
>                          log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
>                                    "group may access messages.");
>                          return -EACCES;
> -- 
> 2.1.4
> 

> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list