[systemd-devel] Normal user can ask status of services

Sun Aug 27 18:46:29 UTC 2023

On 27.08.2023 20:35, Cecil Westerhof wrote:
> Op zo 27 aug 2023 om 18:30 schreef Leon Fauster <leonfauster at googlemail.com
>> :
> 
>> Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
>>> Replying on google does not work as I am used to. It sends to the sender
>>> instead of the group. 😱
>>>
>>> Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
>>> <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
>>>
>>>      Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl at gmail.com
>>>      <mailto:mbiebl at gmail.com>>:
>>>
>>>          Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
>>>          <cldwesterhof at gmail.com <mailto:cldwesterhof at gmail.com>>:
>>>           >
>>>           > I am at last implementing systemd timers. The service I
>>>          created can have its status queried by a normal user. I thought
>>>          I must have made a mistake. But when I do:
>>>           >     systemctl status cron
>>>           >
>>>           > I get:
>>>           >     ● cron.service - Regular background program processing
>> daemon
>>>           >          Loaded: loaded (/lib/systemd/system/cron.service;
>>>          enabled; preset: enabled)
>>>           >          Active: active (running) since Sat 2023-08-19
>>>          18:12:04 CEST; 6 days ago
>>>           >            Docs: man:cron(8)
>>>           >        Main PID: 790 (cron)
>>>           >           Tasks: 1 (limit: 17837)
>>>           >          Memory: 91.0M
>>>           >             CPU: 14min 3.110s
>>>           >          CGroup: /system.slice/cron.service
>>>           >                  └─790 /usr/sbin/cron -f
>>>           >
>>>           >     Warning: some journal files were not opened due to
>>>          insufficient permissions.
>>>           >
>>>           > Is this the expected behaviour?
>>>           > If not: what could be wrong with my system?
>>>           >
>>>           > This is on Debian 11.
>>>
>>>          Reading system logs is a privileged operation.
>>>
>>>          You can grant this privilege to individual users by adding them
>>>          to the
>>>          systemd-journal (or adm) group.
>>>
>>>          Adding users to the adm will grant them additional privileges,
>>>          so be careful.
>>>
>>>
>>>      The user is in the lpadmin group, but not in systemd-journal, or adm
>>>      and still can ask the status.
>>>      Another reply indicates that this is normal.
>>>
>>
>>
>> Well, you can look at the process list anytime as normal user. So, what
>> are you trying to accomplishing. Whats the goal? Hiding the process from
>> the users?
>>
> 
> I was surprised that I could see it. And as I understand it, I am certainly
> not the only one. One reply on my question was even that it is a privileged
> operation and should not be possible without a group added to the user
> which was not added to the user.

It was referring to the content of the system journal, not to the 
permissions to run "systemctl status".

> I agree that you can find out everything with ps, but that is a lot more
> work.
> I was just surprised that it was possible —and again I am far from the only
> one—, I just wanted to check it out and now I know it is expected behaviour.
> Better to ask a 'dump' question than staying ignorant I think.
> 