Bug#843310: systemd-journald: user service logs are not available to normal users unless persistent Storage is used.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Nov 5 19:16:08 GMT 2016 

Package: systemd
Version: 232-1
Severity: normal

Dear systemd and journald maintainers,

User services generate output and that output is logged by the user's
systemd session manager. journalctl(1) says:

       All users are granted access to their private per-user journals.

However, this isn't the case for volatile logs -- it's only true if
/var/log/journal exists and is used by the journal daemon
(journal.conf has Storage= set to either "persistent" or "auto").  As
noted in systemd-journald(8), access to files in /var/log/journal is
controlled by filesystem permissions, and per-user journal files are
given an ACL that allows reading by the user in question.

But the files in /run/log/journal (including .) are owned
root:systemd-journal, and only have an acl permitting group reading by
group "adm".

if /var/log/journal doesn't exist, then the files in /run/log/journal
are named like:

    /run/log/journal/6051cddb073148558d78ef88b325d68c/system at 69e51cd1f22d4569aee1f96c1219d41d-00000000000008cc-0005409149915123.journal
    /run/log/journal/6051cddb073148558d78ef88b325d68c/system at 69e51cd1f22d4569aee1f96c1219d41d-0000000000000434-000540908e2a4975.journal

but /run/log/journal is removed once /var/log/journal exists, and
/var/log/journal files are named like this:

    /var/log/journal/6051cddb073148558d78ef88b325d68c/user-1000.journal
    /var/log/journal/6051cddb073148558d78ef88b325d68c/system.journal

Without /var/log/journal existing, with a user with no special
membership in adm or systemd-journal, i see no log info:

-----------
dkg at sid:~$ groups
dkg
dkg at sid:~$ journalctl --user-unit gpg-agent | tail
Hint: You are currently not seeing messages from other users and the system.
      Users in the 'systemd-journal' group can see all messages. Pass -q to
      turn off this notice.
No journal files were opened due to insufficient permissions.
dkg at sid:~$ systemctl status --user gpg-agent | cat
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
   Loaded: loaded (/usr/lib/systemd/user/gpg-agent.service; static; vendor preset: enabled)
   Active: active (running) since Sat 2016-11-05 12:47:26 EDT; 18min ago
     Docs: man:gpg-agent(1)
 Main PID: 836 (gpg-agent)
   CGroup: /user.slice/user-1000.slice/user at 1000.service/gpg-agent.service
           └─836 /usr/bin/gpg-agent --supervised
dkg at sid:~$ 
-----------

If you want to try to replicate, this is with the stock gpg-agent
user service from the gnupg-agent package, version 2.1.15-8, with the
following command run in bash as root before regular user login:

    # systemctl --user --global enable gpg-agent{,-ssh,-extra,-browser}.socket

And the user has the following two lines in ~/.gnupg/gpg-agent.conf:

    debug-level guru
    debug-pinentry

-------

fwiw, strace can see journalctl trying to access files in /run/log
before i tries to look in /var/log/journal, but gets EACCESS
(Permission denied) errors (as one would expect from the permissions
on it).

Shouldn't systemd-journald manage its files in /run/log/journal with
the same approach and permissions that it uses for files in
/var/log/journal?

Regards,

	--dkg

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3
ii  libapparmor1    2.10.95-5
ii  libaudit1       1:2.6.7-1
ii  libblkid1       2.28.2-1
ii  libc6           2.24-5
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-1
ii  libgcrypt20     1.7.3-2
ii  libgpg-error0   1.24-1
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0-4
ii  libkmod2        23-1
ii  liblzma5        5.2.2-1.2
ii  libmount1       2.28.2-1
ii  libpam0g        1.1.8-3.3
ii  libseccomp2     2.3.1-2
ii  libselinux1     2.6-1
ii  libsystemd0     232-1
ii  mount           2.28.2-1
ii  util-linux      2.28.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.12-1
ii  libpam-systemd  232-1

Versions of packages systemd suggests:
ii  policykit-1        0.105-17
pn  systemd-container  <none>
pn  systemd-ui         <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.125
ii  udev             232-1

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list