Bug#800947: ACL for /var/log/journal not set for group adm

[Michael Biebl]

Am 05.10.2015 um 13:57 schrieb Raphaël Halimi:
> Le 05/10/2015 13:21, Michael Biebl a écrit :
>> Apparently the files were created before the ACLs have been set for
>> /var/log/journal/3deacfa10d0c169adfdeb36c50522bd6
>> so the journal files that were created did not inherit the correct ACLs
>> from the parent directory.
>>
>> Possibly you created /var/log/journal or set Storage=persistent, but did
>> *not* reboot the system afterwards, which would trigger systemd-tmpfiles
>> to be run. And once you restart systemd-journald (which can happen by
>> systemd update), the journal files were created without the ACLs set.
>>
>> On next reboot, the systemd.conf tmpfile did apply the ACL for the
>> directory, but it was too late at that point.
> 
> No, I rebooted immediately after creating the directory.

Hm, right. There might be a race condition during boot, where
systemd-journald-flush.service is started before systemd-tmpfiles.service.
We could order systemd-journald-flush.service *after*
systemd-tmpfiles.service.

But, when using Storage=persistent, journald will create the directory
/var/log/journal/ itself. So this won't help in that case, unless
systemd-journald re-added the code to apply ACLs itself.


This change sucks from a user experience POV, as you basically now need
to make sure to apply the correct ACL yourself. I think the supplied ACL
rule in /usr/lib/tmpfiles.d/systemd.conf is pretty much useless.

Martin, any ideas?

Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20151005/d9bf06c7/attachment-0002.sig>