[systemd-devel] Normal user can ask status of services

Leon Fauster leonfauster at googlemail.com
Sun Aug 27 16:21:03 UTC 2023 

Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> Replying on google does not work as I am used to. It sends to the sender 
> instead of the group. 😱
> 
> Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof 
> <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
> 
>     Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl at gmail.com
>     <mailto:mbiebl at gmail.com>>:
> 
>         Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
>         <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
>          >
>          > I am at last implementing systemd timers. The service I
>         created can have its status queried by a normal user. I thought
>         I must have made a mistake. But when I do:
>          >     systemctl status cron
>          >
>          > I get:
>          >     ● cron.service - Regular background program processing daemon
>          >          Loaded: loaded (/lib/systemd/system/cron.service;
>         enabled; preset: enabled)
>          >          Active: active (running) since Sat 2023-08-19
>         18:12:04 CEST; 6 days ago
>          >            Docs: man:cron(8)
>          >        Main PID: 790 (cron)
>          >           Tasks: 1 (limit: 17837)
>          >          Memory: 91.0M
>          >             CPU: 14min 3.110s
>          >          CGroup: /system.slice/cron.service
>          >                  └─790 /usr/sbin/cron -f
>          >
>          >     Warning: some journal files were not opened due to
>         insufficient permissions.
>          >
>          > Is this the expected behaviour?
>          > If not: what could be wrong with my system?
>          >
>          > This is on Debian 11.
> 
>         Reading system logs is a privileged operation.
> 
>         You can grant this privilege to individual users by adding them
>         to the
>         systemd-journal (or adm) group.
> 
>         Adding users to the adm will grant them additional privileges,
>         so be careful.
> 
> 
>     The user is in the lpadmin group, but not in systemd-journal, or adm
>     and still can ask the status.
>     Another reply indicates that this is normal.
> 


Well, you can look at the process list anytime as normal user. So, what 
are you trying to accomplishing. Whats the goal? Hiding the process from 
the users?

-- 
Leon

More information about the systemd-devel mailing list