Bug#934284: journal sometimes with x-bit, sometimes without

Mon Mar 14 10:38:01 GMT 2022

On Fri, 25 Feb 2022 19:31:21 +0100 Marc Haber 
<mh+debian-bugs at zugschlus.de> wrote:
> Hi Michael,
> 
> thanks to some insights from Bastian Blank explaining ACLs, I have the
> following hypothesis:
> 

> - System boots up
> - journald starts
> - journald creates directories in /run/log without caring much
> - journald begins logging, creating file without -x bits
> - systemd-tmpfiles starts
> - systemd-tmpfiles fixes directory permissions including ACL and
>   defaults settings (cf /usr/lib/tmpfiles.d/systemd.conf)
> - journald rotates logs
> - new journal is created
> - defaults settings on directory are honored now
> - so the new journal has the x bit set
> 

Nowadays I have a persistent journal enabled basically everywhere, which 
somewhat mitigates this issue as /var/log/journal/<machineid> will 
persist across reboots and new files will always inherit the same ACLs 
settings.

For fun I removed /var/log/journal on a PI and just rebooted it:

root at raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# ll *
-rw-r-----+ 1 root systemd-journal 1130496 14. Mär 11:16 
system at 4e4fa9683e9041d08a052d753423c783-0000000000000001-0005da2af7b5dcad.journal
-rw-r-----+ 1 root systemd-journal 1130496 14. Mär 11:20 system.journal

root at raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# 
getfacl *
# file: 
system at 4e4fa9683e9041d08a052d753423c783-0000000000000001-0005da2af7b5dcad.journal
# owner: root
# group: systemd-journal
user::rw-
group::r--
group:adm:r--
mask::r--
other::---

# file: system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r-x			#effective:r--
group:adm:r-x			#effective:r--
mask::r--
other::---

systemd-tmpfiles-setup.service has an explicit
After=systemd-journald.service. So your theory would be a reasonable 
explanation for what we are seeing here.

That said, I know too little about ACLs to suggest a way how to setup 
the parent folder differently so new files not getting the (ineffective) 
x-bit.
It's a bit of an oddity for sure but at least with a persistent journal 
you would not get this warning from aide I assume as all files would now 
have an (in-effective) x-bit set?

Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20220314/3b0008cf/attachment.sig>