From a24c64f03f9c5c0304451d8542fee853187a5168 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 5 Mar 2013 18:53:21 +0100 Subject: journald: introduce new "systemd-journal" group and make it own the journal files Previously all journal files were owned by "adm". In order to allow specific users to read the journal files without granting it access to the full "adm" powers, introduce a new specific group for this. "systemd-journal" has to be created by the packaging scripts manually at installation time. It's a good idea to assign a static UID/GID to this group, since /var/log/journal might be shared across machines via NFS. This commit also grants read access to the journal files by default to members of the "wheel" and "adm" groups via file system ACLs, since these "almost-root" groups should be able to see what's going on on the system. These ACLs are created by "make install". Packagers probably need to duplicate this logic in their postinst scripts. This also adds documentation how to grant access to the journal to additional users or groups via fs ACLs. --- Makefile.am | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index 3d3f2652f6..13211c45bd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2563,9 +2563,16 @@ libsystemd_journal_internal_la_LIBADD += \ $(GCRYPT_LIBS) endif -# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed +# move lib from $(libdir) to $(rootlibdir) and update devel link, if +# needed. Also, grant read access to new journal files to members of +# "adm" and "wheel". libsystemd-journal-install-hook: libname=libsystemd-journal.so && $(move-to-rootlibdir) + $(MKDIR_P) $(DESTDIR)/var/log/journal + -chown 0:0 $(DESTDIR)/var/log/journal + -chmod 755 $(DESTDIR)/var/log/journal + -setfacl -nm g:adm:rx,d:g:adm:rx $(DESTDIR)/var/log/journal/ + -setfacl -nm g:wheel:rx,d:g:wheel:rx $(DESTDIR)/var/log/journal/ libsystemd-journal-uninstall-hook: rm -f $(DESTDIR)$(rootlibdir)/libsystemd-journal.so* -- cgit v1.2.3-54-g00ecf