summaryrefslogtreecommitdiff
path: root/src/journal/journald-server.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-03-05 14:27:34 +0100
committerLennart Poettering <lennart@poettering.net>2013-03-05 14:27:34 +0100
commit40adcda869bda55f44b57fd3a2bd71d006dfb51b (patch)
tree1b36592bacd77de1efc79292c7ace9d66ca529cf /src/journal/journald-server.c
parent8a0889dfdafa3054c894e54852d8a9e3a7e8390b (diff)
journald: be a bit more careful when spitting up journals by user id
Diffstat (limited to 'src/journal/journald-server.c')
-rw-r--r--src/journal/journald-server.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index dcfdeaf68e..b46a2f63b3 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -670,10 +670,19 @@ static void dispatch_message_real(
assert(n <= m);
if (s->split_mode == SPLIT_UID && realuid > 0)
+ /* Split up strictly by any UID */
journal_uid = realuid;
- else if (s->split_mode == SPLIT_LOGIN && owner_valid && owner > 0)
+ else if (s->split_mode == SPLIT_LOGIN && owner_valid && owner > 0 && realuid > 0)
+ /* Split up by login UIDs, this avoids creation of
+ * individual journals for system UIDs. We do this
+ * only if the realuid is not root, in order not to
+ * accidentally leak privileged information logged by
+ * a privileged process that is part of an
+ * unprivileged session to the user. */
journal_uid = owner;
- else if (s->split_mode == SPLIT_LOGIN && loginuid_valid && loginuid > 0)
+ else if (s->split_mode == SPLIT_LOGIN && loginuid_valid && loginuid > 0 && realuid > 0)
+ /* Hmm, let's try via the audit uids, as fallback,
+ * just in case */
journal_uid = loginuid;
else
journal_uid = 0;