[systemd-devel] [PATCH] Improve log notice when unprivileged users run journalctl executable (reformatted)
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sun Mar 8 08:15:54 PDT 2015
On Sun, Mar 08, 2015 at 03:31:25PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Sun, Mar 08, 2015 at 09:33:24AM +0100, Gautier Pelloux-Prayer wrote:
> > Hi list,
> >
> > Currently, when user runs journalctl without extra privileges, output
> > is:
> >
> > No journal files were found.
> >
> > This patch modifies this feedback by giving permission-hint to the user:
> >
> > No journal files were found. Users in the 'systemd-journal' group
> > may access more messages.
> >
> > It should help new comers to understand that some extra privileges can
> > be useful to retrieve logs.
> The code in access_check() tries to distinguish the case where
> no files are resent and where the user is not allowed to access them.
> A message similar to what you are proposing appears just a few lines
> down.
Oh, I think I found the problem. Can you check again with the latest git?
Zbyszek
> If you're seeing this message journal files being present, then it
> means that the check is somehow wrong and should be fixed.
>
> BTW., I now noticed the this logic needs to be updated for recent
> changes to ACL handling. If you do any changes, be sure to pull the
> latest git.
>
> Zbyszek
>
> >
> > /Gautier
> >
> > diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> > index 56435ff..7f4c160 100644
> > --- a/src/journal/journalctl.c
> > +++ b/src/journal/journalctl.c
> > @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
> > Iterator it;
> > void *code;
> > int r = 0;
> > -
> > + bool is_privileged = (geteuid() == 0) ||
> > (in_group("systemd-journal") > 0);
> > assert(j);
> >
> > if (set_isempty(j->errors)) {
> > if (ordered_hashmap_isempty(j->files))
> > - log_notice("No journal files were found.");
> > + log_notice("No journal files were found.%s",
> > + is_privileged?"":" Users in the
> > 'systemd-journal' group may access more messages.");
> > return 0;
> > }
> >
> > @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
> > #ifdef HAVE_ACL
> > /* If /var/log/journal doesn't even exist,
> > * unprivileged users have no access at all */
> > - if (access("/var/log/journal", F_OK) < 0 &&
> > - geteuid() != 0 &&
> > - in_group("systemd-journal") <= 0) {
> > + if (access("/var/log/journal", F_OK) < 0 && !
> > is_privileged) {
> > log_error("Unprivileged users cannot access
> > messages, unless persistent log storage is\n"
> > "enabled. Users in the
> > 'systemd-journal' group may always access messages.");
> > return -EACCES;
> > @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
> > return r;
> > }
> > #else
> > - if (geteuid() != 0 && in_group("systemd-journal") <= 0)
> > {
> > + if (!is_privileged) {
> > log_error("Unprivileged users cannot access
> > messages. Users in the 'systemd-journal' group\n"
> > "group may access messages.");
> > return -EACCES;
> >
> >
>
> > From 0f973d231d057866d8626e680b80bded24103af0 Mon Sep 17 00:00:00 2001
> > From: Gautier Pelloux-Prayer <gautier+git at damsy.net>
> > Date: Sun, 11 Jan 2015 12:00:18 +0100
> > Subject: [PATCH] Improve log notice when unprivileged users run journalctl
> > executable
> >
> > ---
> > src/journal/journalctl.c | 11 +++++------
> > 1 file changed, 5 insertions(+), 6 deletions(-)
> >
> > diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> > index 56435ff..7f4c160 100644
> > --- a/src/journal/journalctl.c
> > +++ b/src/journal/journalctl.c
> > @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
> > Iterator it;
> > void *code;
> > int r = 0;
> > -
> > + bool is_privileged = (geteuid() == 0) || (in_group("systemd-journal") > 0);
> > assert(j);
> >
> > if (set_isempty(j->errors)) {
> > if (ordered_hashmap_isempty(j->files))
> > - log_notice("No journal files were found.");
> > + log_notice("No journal files were found.%s",
> > + is_privileged?"":" Users in the 'systemd-journal' group may access more messages.");
> > return 0;
> > }
> >
> > @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
> > #ifdef HAVE_ACL
> > /* If /var/log/journal doesn't even exist,
> > * unprivileged users have no access at all */
> > - if (access("/var/log/journal", F_OK) < 0 &&
> > - geteuid() != 0 &&
> > - in_group("systemd-journal") <= 0) {
> > + if (access("/var/log/journal", F_OK) < 0 && !is_privileged) {
> > log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
> > "enabled. Users in the 'systemd-journal' group may always access messages.");
> > return -EACCES;
> > @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
> > return r;
> > }
> > #else
> > - if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
> > + if (!is_privileged) {
> > log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
> > "group may access messages.");
> > return -EACCES;
> > --
> > 2.1.4
> >
>
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
More information about the systemd-devel
mailing list