[systemd-devel] [PATCH] Improve log notice when unprivileged users run journalctl executable (reformatted)
Gautier Pelloux-Prayer
gautier at damsy.net
Mon Mar 9 16:03:08 PDT 2015
Indeed as far as I could see in my virtual machine, this is working now
as expected!
Le dimanche 08 mars 2015 à 16:15 +0100, Zbigniew Jędrzejewski-Szmek a
écrit :
> On Sun, Mar 08, 2015 at 03:31:25PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> > On Sun, Mar 08, 2015 at 09:33:24AM +0100, Gautier Pelloux-Prayer wrote:
> > > Hi list,
> > >
> > > Currently, when user runs journalctl without extra privileges, output
> > > is:
> > >
> > > No journal files were found.
> > >
> > > This patch modifies this feedback by giving permission-hint to the user:
> > >
> > > No journal files were found. Users in the 'systemd-journal' group
> > > may access more messages.
> > >
> > > It should help new comers to understand that some extra privileges can
> > > be useful to retrieve logs.
> > The code in access_check() tries to distinguish the case where
> > no files are resent and where the user is not allowed to access them.
> > A message similar to what you are proposing appears just a few lines
> > down.
> Oh, I think I found the problem. Can you check again with the latest git?
>
> Zbyszek
>
> > If you're seeing this message journal files being present, then it
> > means that the check is somehow wrong and should be fixed.
> >
> > BTW., I now noticed the this logic needs to be updated for recent
> > changes to ACL handling. If you do any changes, be sure to pull the
> > latest git.
> >
> > Zbyszek
> >
> > >
> > > /Gautier
> > >
> > > diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> > > index 56435ff..7f4c160 100644
> > > --- a/src/journal/journalctl.c
> > > +++ b/src/journal/journalctl.c
> > > @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
> > > Iterator it;
> > > void *code;
> > > int r = 0;
> > > -
> > > + bool is_privileged = (geteuid() == 0) ||
> > > (in_group("systemd-journal") > 0);
> > > assert(j);
> > >
> > > if (set_isempty(j->errors)) {
> > > if (ordered_hashmap_isempty(j->files))
> > > - log_notice("No journal files were found.");
> > > + log_notice("No journal files were found.%s",
> > > + is_privileged?"":" Users in the
> > > 'systemd-journal' group may access more messages.");
> > > return 0;
> > > }
> > >
> > > @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
> > > #ifdef HAVE_ACL
> > > /* If /var/log/journal doesn't even exist,
> > > * unprivileged users have no access at all */
> > > - if (access("/var/log/journal", F_OK) < 0 &&
> > > - geteuid() != 0 &&
> > > - in_group("systemd-journal") <= 0) {
> > > + if (access("/var/log/journal", F_OK) < 0 && !
> > > is_privileged) {
> > > log_error("Unprivileged users cannot access
> > > messages, unless persistent log storage is\n"
> > > "enabled. Users in the
> > > 'systemd-journal' group may always access messages.");
> > > return -EACCES;
> > > @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
> > > return r;
> > > }
> > > #else
> > > - if (geteuid() != 0 && in_group("systemd-journal") <= 0)
> > > {
> > > + if (!is_privileged) {
> > > log_error("Unprivileged users cannot access
> > > messages. Users in the 'systemd-journal' group\n"
> > > "group may access messages.");
> > > return -EACCES;
> > >
> > >
> >
> > > From 0f973d231d057866d8626e680b80bded24103af0 Mon Sep 17 00:00:00 2001
> > > From: Gautier Pelloux-Prayer <gautier+git at damsy.net>
> > > Date: Sun, 11 Jan 2015 12:00:18 +0100
> > > Subject: [PATCH] Improve log notice when unprivileged users run journalctl
> > > executable
> > >
> > > ---
> > > src/journal/journalctl.c | 11 +++++------
> > > 1 file changed, 5 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
> > > index 56435ff..7f4c160 100644
> > > --- a/src/journal/journalctl.c
> > > +++ b/src/journal/journalctl.c
> > > @@ -1581,12 +1581,13 @@ static int access_check(sd_journal *j) {
> > > Iterator it;
> > > void *code;
> > > int r = 0;
> > > -
> > > + bool is_privileged = (geteuid() == 0) || (in_group("systemd-journal") > 0);
> > > assert(j);
> > >
> > > if (set_isempty(j->errors)) {
> > > if (ordered_hashmap_isempty(j->files))
> > > - log_notice("No journal files were found.");
> > > + log_notice("No journal files were found.%s",
> > > + is_privileged?"":" Users in the 'systemd-journal' group may access more messages.");
> > > return 0;
> > > }
> > >
> > > @@ -1594,9 +1595,7 @@ static int access_check(sd_journal *j) {
> > > #ifdef HAVE_ACL
> > > /* If /var/log/journal doesn't even exist,
> > > * unprivileged users have no access at all */
> > > - if (access("/var/log/journal", F_OK) < 0 &&
> > > - geteuid() != 0 &&
> > > - in_group("systemd-journal") <= 0) {
> > > + if (access("/var/log/journal", F_OK) < 0 && !is_privileged) {
> > > log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
> > > "enabled. Users in the 'systemd-journal' group may always access messages.");
> > > return -EACCES;
> > > @@ -1610,7 +1609,7 @@ static int access_check(sd_journal *j) {
> > > return r;
> > > }
> > > #else
> > > - if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
> > > + if (!is_privileged) {
> > > log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
> > > "group may access messages.");
> > > return -EACCES;
> > > --
> > > 2.1.4
> > >
> >
> > > _______________________________________________
> > > systemd-devel mailing list
> > > systemd-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> >
> > _______________________________________________
> > systemd-devel mailing list
> > systemd-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/systemd-devel
More information about the systemd-devel
mailing list