Bug#934284: journal sometimes with x-bit, sometimes without

Marc Haber mh+debian-bugs at zugschlus.de
Mon Feb 3 14:50:09 GMT 2020


On Mon, Feb 03, 2020 at 09:44:19AM +0100, Michael Biebl wrote:
> Am 03.02.20 um 09:30 schrieb Marc Haber:
> > group::r-x                      #effective:r--
> > group:adm:r-x                   #effective:r--
> 
> Just to be clear: you mean this x bit set for group/group:adm which is
> not in effect (in effect is r-- due to the mask)
> So is there actually a problem?

The problem is that aide notices the changes and duly reports it. And I
think it's an unintended change and would like to not being forced to
mask that.

> Afaics, this is just a result of how the permissions/ACLs are setup for
> /run/log/journal/$machineid
> 
> If you create a file via touch in that directory, it should have the
> same permissions as the journal files, right?

[2/1541]mh at roll:~ $ sudo touch /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo
[sudo] password for mh on roll: 
[3/1542]mh at roll:~ $ ls -al /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/total 9,9M
drwxr-s---+ 2 root systemd-journal  100 Feb  3 15:44 ./
drwxr-sr-x  3 root systemd-journal   60 Feb  3 08:48 ../
-rw-r-----+ 1 root systemd-journal    0 Feb  3 15:44 foo
-rw-r-----+ 1 root systemd-journal 5,0M Feb  3 09:28 system\@2914964836b94758b67f1e5882bed2d2-0000000000000001-00059da724f09f96.journal
-rw-r-----+ 1 root systemd-journal 5,0M Feb  3 15:44 system.journal
[4/1543]mh at roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo 
getfacl: Removing leading '/' from absolute path names
# file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo
# owner: root
# group: systemd-journal
user::rw-
group::r-x                      #effective:r--
group:adm:r-x                   #effective:r--
mask::r--
other::---

[5/1544]mh at roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal 
getfacl: Removing leading '/' from absolute path names
# file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r-x                      #effective:r--
group:adm:r-x                   #effective:r--
mask::r--
other::---

[6/1545]mh at roll:~ $ 

Looks like that, but why are the acls on the rotated file (that should simply
be a rename, right?) also changin?

Currently, /usr/lib/tmpfiles.d/systemd.conf has:
d /run/log 0755 root root -
z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - -
a+ /run/log/journal/%m - - - - d:group:adm:r-x
a+ /run/log/journal/%m - - - - group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -
z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
a+ /var/log/journal    - - - - d:group::r-x,d:group:adm:r-x
a+ /var/log/journal    - - - - group::r-x,group:adm:r-x
a+ /var/log/journal/%m - - - - d:group:adm:r-x
a+ /var/log/journal/%m - - - - group:adm:r-x
a+ /var/log/journal/%m/system.journal - - - - group:adm:r--
d /var/log/private 0700 root root -

What would need to change to have the directory directly created with
the appropriate permissions that matches the one that gets set in log
rotation?

I see that we're rapidly approaching a solution. I really appreciate
that.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421



More information about the Pkg-systemd-maintainers mailing list