[Pkg-systemd-maintainers] Bug#724668: Bug#724668: Please add systemd-journal group by default
Guido Günther
agx at sigxcpu.org
Thu Sep 26 17:13:30 BST 2013
Hi Moritz,
On Thu, Sep 26, 2013 at 05:42:41PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Sep 26, 2013 at 02:29:58PM +0200, Michael Biebl wrote:
> > forcemerge 717386 724668
> > thanks
> >
> > Hi Guido,
> >
> > Am 26.09.2013 14:17, schrieb Guido Günther:
> > > attached patch adds the systemd-journal group by default so one doesn't
> > > have to create it explicitly in order to add user to it. This makes it
> > > simpler to enable users to read all logs.
> >
> > I'm merging this bug with the existing one (#717386).
> > I vaguely remember that we discussed that on IRC, and one concern that
> > was raised by Tollef iirc was, why we not just continue to use adm
> > (which systemd has used in the past). I don't think we came to a
> > conclusion yet, whether we should just patch systemd to use adm or
> > follow upstream and use a dedicated group.
>
> I think we should followup upstream. I streamlines the group name
> across distros and "adm" is a really confusing legacy name for the group.
See my other reply. Upstream actually does both: allow for adm _and_
systemd-journal via ACLs to have a minimal read only user you can assign
to e.g. daemons that should be allowed to read system journal but
nothing else. It's somewhat similar to what we did with the libvirt-qemu
user and the kvm user.
Cheers,
-- Guido
>
> http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html:
> | Historically, /var/log was /usr/adm (and later /var/adm), thus the name of
> | the group.
>
> Cheers,
> Moritz
>
More information about the Pkg-systemd-maintainers
mailing list