Bug#934284: journal sometimes with x-bit, sometimes without
Marc Haber
mh+debian-bugs at zugschlus.de
Mon Feb 3 14:50:09 GMT 2020
On Mon, Feb 03, 2020 at 09:44:19AM +0100, Michael Biebl wrote:
> Am 03.02.20 um 09:30 schrieb Marc Haber:
> > group::r-x #effective:r--
> > group:adm:r-x #effective:r--
>
> Just to be clear: you mean this x bit set for group/group:adm which is
> not in effect (in effect is r-- due to the mask)
> So is there actually a problem?
The problem is that aide notices the changes and duly reports it. And I
think it's an unintended change and would like to not being forced to
mask that.
> Afaics, this is just a result of how the permissions/ACLs are setup for
> /run/log/journal/$machineid
>
> If you create a file via touch in that directory, it should have the
> same permissions as the journal files, right?
[2/1541]mh at roll:~ $ sudo touch /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo
[sudo] password for mh on roll:
[3/1542]mh at roll:~ $ ls -al /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/total 9,9M
drwxr-s---+ 2 root systemd-journal 100 Feb 3 15:44 ./
drwxr-sr-x 3 root systemd-journal 60 Feb 3 08:48 ../
-rw-r-----+ 1 root systemd-journal 0 Feb 3 15:44 foo
-rw-r-----+ 1 root systemd-journal 5,0M Feb 3 09:28 system\@2914964836b94758b67f1e5882bed2d2-0000000000000001-00059da724f09f96.journal
-rw-r-----+ 1 root systemd-journal 5,0M Feb 3 15:44 system.journal
[4/1543]mh at roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo
getfacl: Removing leading '/' from absolute path names
# file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo
# owner: root
# group: systemd-journal
user::rw-
group::r-x #effective:r--
group:adm:r-x #effective:r--
mask::r--
other::---
[5/1544]mh at roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal
getfacl: Removing leading '/' from absolute path names
# file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r-x #effective:r--
group:adm:r-x #effective:r--
mask::r--
other::---
[6/1545]mh at roll:~ $
Looks like that, but why are the acls on the rotated file (that should simply
be a rename, right?) also changin?
Currently, /usr/lib/tmpfiles.d/systemd.conf has:
d /run/log 0755 root root -
z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - -
a+ /run/log/journal/%m - - - - d:group:adm:r-x
a+ /run/log/journal/%m - - - - group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x
a+ /var/log/journal - - - - group::r-x,group:adm:r-x
a+ /var/log/journal/%m - - - - d:group:adm:r-x
a+ /var/log/journal/%m - - - - group:adm:r-x
a+ /var/log/journal/%m/system.journal - - - - group:adm:r--
d /var/log/private 0700 root root -
What would need to change to have the directory directly created with
the appropriate permissions that matches the one that gets set in log
rotation?
I see that we're rapidly approaching a solution. I really appreciate
that.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the Pkg-systemd-maintainers
mailing list