Bug#783651: users in adm group can't use journalctl if persistent journal isn't enabled

[Raphaël Halimi]

Package: systemd
Version: 215-17
Severity: normal

The README.Debian for systemd instructs to set ACLs for /var/log/journal
to let users in "adm" group to read the persistent journal via
journalctl. This works well; but if the persistent journal isn't
enabled, users in "adm" group can't read the journal with journalctl:

$ getfacl /run/log/journal
# file: run/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
other::r-x

$ getfacl /run/log/journal/3deacfa10d0c169adfdeb36c50522bd6/
# file: run/log/journal/3deacfa10d0c169adfdeb36c50522bd6/
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
other::---

systemd should set ACLs the same way as advertised for /var/log/journal
in README.Debian, so that members of the adm group should be able to use
journalctl even if persistent journal isn't enabled.

Additionally, I stumbled upon something else; I don't know if it's
expected behavior, or if it deserves a bug report, but if the persistent
journal is enabled, /run/log/journal is only readable by root, and not
the systemd-journal group. This causes no trouble, except a minor and
temporary inconsistency in case one disables the persistent journal by
deleting /var/log/journal and restarting systemd-journald; the right
permissions for /run/log/journal (group systemd-journal) wouldn't be
applied until next reboot.

Regards,

-- 
Raphaël Halimi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20150428/a7fec39a/attachment.sig>