diff options
| -rw-r--r-- | Makefile.am | 9 | ||||
| -rw-r--r-- | README | 13 | ||||
| -rw-r--r-- | man/systemd-journald.service.xml | 35 | ||||
| -rw-r--r-- | src/journal/journalctl.c | 12 | ||||
| -rw-r--r-- | src/journal/journald-server.c | 6 |
5 files changed, 64 insertions, 11 deletions
diff --git a/Makefile.am b/Makefile.am index 3d3f2652f6..13211c45bd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2563,9 +2563,16 @@ libsystemd_journal_internal_la_LIBADD += \ $(GCRYPT_LIBS) endif -# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed +# move lib from $(libdir) to $(rootlibdir) and update devel link, if +# needed. Also, grant read access to new journal files to members of +# "adm" and "wheel". libsystemd-journal-install-hook: libname=libsystemd-journal.so && $(move-to-rootlibdir) + $(MKDIR_P) $(DESTDIR)/var/log/journal + -chown 0:0 $(DESTDIR)/var/log/journal + -chmod 755 $(DESTDIR)/var/log/journal + -setfacl -nm g:adm:rx,d:g:adm:rx $(DESTDIR)/var/log/journal/ + -setfacl -nm g:wheel:rx,d:g:wheel:rx $(DESTDIR)/var/log/journal/ libsystemd-journal-uninstall-hook: rm -f $(DESTDIR)$(rootlibdir)/libsystemd-journal.so* @@ -100,6 +100,19 @@ REQUIREMENTS: being 'html' or 'latexpdf'. If using DESTDIR for installation, pass the same DESTDIR to 'make sphinx-html' invocation. +USERS AND GROUPS: + During runtime the journal daemon requires the + "system-journal" system group to exist. New journal files will + be readable by this group (but not writable) which may be used + to grant specific users read access. + + It is also recommended to grant read access to all journal + files to the system groups "wheel" and "adm" with a command + like the following in the post installation script of the + package: + + # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ + WARNINGS: systemd will warn you during boot if /etc/mtab is not a symlink to /proc/mounts. Please ensure that /etc/mtab is a diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index 4969ab19c3..bc32c8e38b 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -158,6 +158,38 @@ </variablelist> </refsect1> + <refsect1> + <title>Access Control</title> + + <para>Journal files are by default owned and readable + by the <literal>systemd-journal</literal> system group + (but not writable). Adding a user to this group thus + enables her/him to read the journal files.</para> + + <para>By default, each logged in user will get her/his + own set of journal files in + <filename>/var/log/journal/</filename>. These files + will not be owned by the user however, in order to + avoid that the user can write to them + directly. Instead, file system ACLs are used to ensure + the user gets read access only.</para> + + <para>Additional users and groups may be granted + access to journal files via file system access control + lists (ACL). Distributions and administrators may + choose to grant read access to all members of the + <literal>wheel</literal> and <literal>adm</literal> + system groups with a command such as the + following:</para> + + <programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting> + + <para>Note that this command will update the ACLs both + for existing journal files and for future journal + files created in the + <filename>/var/log/journal/</filename> + directory.</para> + </refsect1> <refsect1> <title>See Also</title> @@ -166,7 +198,8 @@ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry> + <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>, + <citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry> </para> </refsect1> diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index d898ae7179..cb93fea63b 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -870,16 +870,16 @@ static int verify(sd_journal *j) { static int access_check(void) { #ifdef HAVE_ACL - if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) { - log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages."); + if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) { + log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages."); return -EACCES; } - if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0) - log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off."); + if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0) + log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off."); #else - if (geteuid() != 0 && in_group("adm") <= 0) { - log_error("No access to messages. Only users in the group 'adm' can see messages."); + if (geteuid() != 0 && in_group("systemd-journal") <= 0) { + log_error("No access to messages. Only users in the group 'systemd-journal' can see messages."); return -EACCES; } #endif diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index 654f7ace21..ac565c7ece 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) { } static void server_read_file_gid(Server *s) { - const char *adm = "adm"; + const char *g = "systemd-journal"; int r; assert(s); @@ -182,9 +182,9 @@ static void server_read_file_gid(Server *s) { if (s->file_gid_valid) return; - r = get_group_creds(&adm, &s->file_gid); + r = get_group_creds(&g, &s->file_gid); if (r < 0) - log_warning("Failed to resolve 'adm' group: %s", strerror(-r)); + log_warning("Failed to resolve '%s' group: %s", g, strerror(-r)); /* if we couldn't read the gid, then it will be 0, but that's * fine and we shouldn't try to resolve the group again, so |