diff options
author | Lennart Poettering <lennart@poettering.net> | 2013-03-05 19:15:31 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2013-03-05 19:15:31 +0100 |
commit | 37495eede95d3212b797c8459d7ed6258fb23c6a (patch) | |
tree | 1bd1c7587695abcac889d9131a0bb4d2bd45c251 | |
parent | 37c0e8f35e92190a22b2ac0fbb23bf396121e84a (diff) |
journal: make gatewayd run under its own user ID
-rw-r--r-- | README | 16 | ||||
-rw-r--r-- | units/systemd-journal-gatewayd.service.in | 3 |
2 files changed, 14 insertions, 5 deletions
@@ -101,11 +101,12 @@ REQUIREMENTS: pass the same DESTDIR to 'make sphinx-html' invocation. USERS AND GROUPS: - Default udev rules use the following standard system group names,\ - which need to be resolvable by getgrnam() at any time, even in the - very early boot stages, where no other databases and network is - available: - tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk + Default udev rules use the following standard system group + names, which need to be resolvable by getgrnam() at any time, + even in the very early boot stages, where no other databases + and network are available: + + tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk During runtime the journal daemon requires the "system-journal" system group to exist. New journal files will @@ -119,6 +120,11 @@ USERS AND GROUPS: # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ + The journal gateway daemon requires the + "system-journal-gateway" system user and group to + exist. During execution this network facing service will drop + privileges and assume this uid/gid for security reasons. + WARNINGS: systemd will warn you during boot if /etc/mtab is not a symlink to /proc/mounts. Please ensure that /etc/mtab is a diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index c3b5c725bf..a01ce8da45 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -11,6 +11,9 @@ Requires=systemd-journal-gatewayd.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-gatewayd +User=systemd-journal-gateway +Group=systemd-journal-gateway +SupplementaryGroups=systemd-journal [Install] Also=systemd-journal-gatewayd.socket |