journalctl: complain if unprivileged users attempt to access the journal and persistant logging is off

author: Lennart Poettering <lennart@poettering.net> 2012-08-22 04:45:17 +0200
committer: Lennart Poettering <lennart@poettering.net> 2012-08-22 04:45:17 +0200
commit: 99add6fd0b8f4307ed79256e25f38da318e795c4 (patch)
tree: 734da124ebd089aff5ee3adbc6bdb4c1b7e990a6 /src/journal
parent: d2bd7630d7ebbf9a86cca96e39d56efd4558ead4 (diff)
2 files changed, 19 insertions, 5 deletions
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index bee26fd769..6aff1f1ba3 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -747,8 +747,20 @@ int main(int argc, char *argv[]) {
         }
 
 #ifdef HAVE_ACL
+        if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) {
+                log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages.");
+                r = -EACCES;
+                goto finish;
+        }
+
         if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
-                log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.");
+                log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off.");
+#else
+        if (geteuid() != 0 && in_group("adm") <= 0) {
+                log_error("No access to messages. Only users in the group 'adm' can see messages.");
+                r = -EACCES;
+                goto finish;
+        }
 #endif
 
         r = add_this_boot(j);
diff --git a/src/journal/journald.c b/src/journal/journald.c
index 476d682fda..a1deceabdf 100644
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -360,7 +360,8 @@ static void server_vacuum(Server *s) {
         sd_id128_to_string(machine, ids);
 
         if (s->system_journal) {
-                if (asprintf(&p, "/var/log/journal/%s", ids) < 0) {
+                p = strappend("/var/log/journal/", ids);
+                if (!p) {
                         log_oom();
                         return;
                 }
@@ -372,7 +373,8 @@ static void server_vacuum(Server *s) {
         }
 
         if (s->runtime_journal) {
-                if (asprintf(&p, "/run/log/journal/%s", ids) < 0) {
+                p = strappend("/run/log/journal/", ids);
+                if (!p) {
                         log_oom();
                         return;
                 }
@@ -1394,7 +1396,7 @@ static int server_init(Server *s) {
         return 0;
 }
 
-static void maybe_append_tags(Server *s) {
+static void server_maybe_append_tags(Server *s) {
 #ifdef HAVE_GCRYPT
         JournalFile *f;
         Iterator i;
@@ -1539,7 +1541,7 @@ int main(int argc, char *argv[]) {
                                 break;
                 }
 
-                maybe_append_tags(&server);
+                server_maybe_append_tags(&server);
         }
 
         log_debug("systemd-journald stopped as pid %lu", (unsigned long) getpid());
author	Lennart Poettering <lennart@poettering.net>	2012-08-22 04:45:17 +0200
committer	Lennart Poettering <lennart@poettering.net>	2012-08-22 04:45:17 +0200
commit	99add6fd0b8f4307ed79256e25f38da318e795c4 (patch)
tree	734da124ebd089aff5ee3adbc6bdb4c1b7e990a6 /src/journal
parent	d2bd7630d7ebbf9a86cca96e39d56efd4558ead4 (diff)