summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-03-05 19:15:31 +0100
committerLennart Poettering <lennart@poettering.net>2013-03-05 19:15:31 +0100
commit37495eede95d3212b797c8459d7ed6258fb23c6a (patch)
tree1bd1c7587695abcac889d9131a0bb4d2bd45c251
parent37c0e8f35e92190a22b2ac0fbb23bf396121e84a (diff)
journal: make gatewayd run under its own user ID
-rw-r--r--README16
-rw-r--r--units/systemd-journal-gatewayd.service.in3
2 files changed, 14 insertions, 5 deletions
diff --git a/README b/README
index 889c687bac..b6e347ec2b 100644
--- a/README
+++ b/README
@@ -101,11 +101,12 @@ REQUIREMENTS:
pass the same DESTDIR to 'make sphinx-html' invocation.
USERS AND GROUPS:
- Default udev rules use the following standard system group names,\
- which need to be resolvable by getgrnam() at any time, even in the
- very early boot stages, where no other databases and network is
- available:
- tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
+ Default udev rules use the following standard system group
+ names, which need to be resolvable by getgrnam() at any time,
+ even in the very early boot stages, where no other databases
+ and network are available:
+
+ tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
During runtime the journal daemon requires the
"system-journal" system group to exist. New journal files will
@@ -119,6 +120,11 @@ USERS AND GROUPS:
# setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+ The journal gateway daemon requires the
+ "system-journal-gateway" system user and group to
+ exist. During execution this network facing service will drop
+ privileges and assume this uid/gid for security reasons.
+
WARNINGS:
systemd will warn you during boot if /etc/mtab is not a
symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index c3b5c725bf..a01ce8da45 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -11,6 +11,9 @@ Requires=systemd-journal-gatewayd.socket
[Service]
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+User=systemd-journal-gateway
+Group=systemd-journal-gateway
+SupplementaryGroups=systemd-journal
[Install]
Also=systemd-journal-gatewayd.socket