Bug#800947: ACL for /var/log/journal not set for group adm

[Michael Biebl]

Am 05.10.2015 um 13:12 schrieb Michael Biebl:
> Am 05.10.2015 um 13:08 schrieb Raphaël Halimi:
>> Le 05/10/2015 12:30, Michael Biebl a écrit :
>>> But the subdirectories of /var/log/journal have the correct ACL set, right?
>>
>> Yes, you're right, I just noticed it; but using journalctl as a user
>> won't display system messages (only user messages), which is not the
>> expected behavior of adding a user in the "adm" group (pre-systemd).
>>
>> Maybe it's because the system.journal file doesn't have the ACL set ?
>>
>> raph at arche:~$ getfacl -R /var/log/journal/
>> getfacl : suppression du premier « / » des noms de chemins absolus
>> # file: var/log/journal/
>> # owner: root
>> # group: systemd-journal
>> # flags: -s-
>> user::rwx
>> group::r-x
>> other::r-x
>>
>> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6
>> # owner: root
>> # group: systemd-journal
>> # flags: -s-
>> user::rwx
>> group::r-x
>> group:adm:r-x
>> mask::r-x
>> other::r-x
>> default:user::rwx
>> default:group::r-x
>> default:group:adm:r-x
>> default:mask::r-x
>> default:other::r-x
>>
>> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6/user-1000.journal
>> # owner: root
>> # group: root
>> user::rw-
>> user:raph:r--
>> group::r--
>> mask::r--
>> other::---
>>
>> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6/system.journal
>> # owner: root
>> # group: root
>> user::rw-
>> group::r--
>> other::---
>>
>> I admit I don't know ACLs very well, but aren't the "default:..." lines
>> supposed to mean that the files under there should have these
>> permissions too ?
> 
> See
> https://github.com/systemd/systemd/commit/8b258a645ae63dff3ab8dde6520d2e770e2a40f1
> 
> Apparently this was an intended change.

Apparently the files were created before the ACLs have been set for
/var/log/journal/3deacfa10d0c169adfdeb36c50522bd6
so the journal files that were created did not inherit the correct ACLs
from the parent directory.

Possibly you created /var/log/journal or set Storage=persistent, but did
*not* reboot the system afterwards, which would trigger systemd-tmpfiles
to be run. And once you restart systemd-journald (which can happen by
systemd update), the journal files were created without the ACLs set.

On next reboot, the systemd.conf tmpfile did apply the ACL for the
directory, but it was too late at that point.

I wonder if we should fix the documentation to tell people to run
systemd-tmpfiles /usr/lib/tmpfiles/systemd.conf immediately after
enabling persistent journal.



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20151005/50c40e77/attachment-0002.sig>