From e346512c684e9efae84c6442f7e6a5781564ecde Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 22 Apr 2015 22:54:23 +0200 Subject: journalctl: rework code that checks whether we have access to /var/log/journal - fix some memory leaks on error conditions - handle all error cases properly, and log about failures - move HAVE_ACL and no-HAVE_ACL code closer to each other --- src/journal/journalctl.c | 120 ++++++++++++++++++++++++----------------------- 1 file changed, 62 insertions(+), 58 deletions(-) (limited to 'src/journal') diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index a5ed41d84b..666aa20480 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -1524,61 +1524,76 @@ static int verify(sd_journal *j) { return r; } -#ifdef HAVE_ACL static int access_check_var_log_journal(sd_journal *j) { +#ifdef HAVE_ACL _cleanup_strv_free_ char **g = NULL; - bool have_access; + const char* dir; +#endif int r; assert(j); - have_access = in_group("systemd-journal") > 0; + if (arg_quiet) + return 0; - if (!have_access) { - const char* dir; + /* If we are root, we should have access, don't warn. */ + if (getuid() == 0) + return 0; - if (access("/run/log/journal", F_OK) >= 0) - dir = "/run/log/journal"; - else - dir = "/var/log/journal"; + /* If we are in the 'systemd-journal' group, we should have + * access too. */ + r = in_group("systemd-journal"); + if (r < 0) + return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m"); + if (r > 0) + return 0; - /* Let's enumerate all groups from the default ACL of - * the directory, which generally should allow access - * to most journal files too */ - r = search_acl_groups(&g, dir, &have_access); - if (r < 0) - return r; - } +#ifdef HAVE_ACL + if (laccess("/run/log/journal", F_OK) >= 0) + dir = "/run/log/journal"; + else + dir = "/var/log/journal"; - if (!have_access) { + /* If we are in any of the groups listed in the journal ACLs, + * then all is good, too. Let's enumerate all groups from the + * default ACL of the directory, which generally should allow + * access to most journal files too. */ + r = acl_search_groups(dir, &g); + if (r < 0) + return log_error_errno(r, "Failed to search journal ACL: %m"); + if (r > 0) + return 0; - if (strv_isempty(g)) - log_notice("Hint: You are currently not seeing messages from other users and the system.\n" - " Users in the 'systemd-journal' group can see all messages. Pass -q to\n" - " turn off this notice."); - else { - _cleanup_free_ char *s = NULL; + /* Print a pretty list, if there were ACLs set. */ + if (!strv_isempty(g)) { + _cleanup_free_ char *s = NULL; - r = strv_extend(&g, "systemd-journal"); - if (r < 0) - return log_oom(); + /* Thre are groups in the ACL, let's list them */ + r = strv_extend(&g, "systemd-journal"); + if (r < 0) + return log_oom(); - strv_sort(g); - strv_uniq(g); + strv_sort(g); + strv_uniq(g); - s = strv_join(g, "', '"); - if (!s) - return log_oom(); + s = strv_join(g, "', '"); + if (!s) + return log_oom(); - log_notice("Hint: You are currently not seeing messages from other users and the system.\n" - " Users in groups '%s' can see all messages.\n" - " Pass -q to turn off this notice.", s); - } + log_notice("Hint: You are currently not seeing messages from other users and the system.\n" + " Users in groups '%s' can see all messages.\n" + " Pass -q to turn off this notice.", s); + return 1; } +#endif - return 0; + /* If no ACLs were found, print a short version of the message. */ + log_notice("Hint: You are currently not seeing messages from other users and the system.\n" + " Users in the 'systemd-journal' group can see all messages. Pass -q to\n" + " turn off this notice."); + + return 1; } -#endif static int access_check(sd_journal *j) { Iterator it; @@ -1590,30 +1605,15 @@ static int access_check(sd_journal *j) { if (set_isempty(j->errors)) { if (ordered_hashmap_isempty(j->files)) log_notice("No journal files were found."); + return 0; } if (set_contains(j->errors, INT_TO_PTR(-EACCES))) { -#ifdef HAVE_ACL - /* If /run/log/journal or /var/log/journal exist, try - to pring a nice notice if the user lacks access to it. */ - if (!arg_quiet && geteuid() != 0) { - r = access_check_var_log_journal(j); - if (r < 0) - return r; - } -#else - if (geteuid() != 0 && in_group("systemd-journal") <= 0) { - log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n" - "group may access messages."); - return -EACCES; - } -#endif + (void) access_check_var_log_journal(j); - if (ordered_hashmap_isempty(j->files)) { - log_error("No journal files were opened due to insufficient permissions."); - r = -EACCES; - } + if (ordered_hashmap_isempty(j->files)) + r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions."); } SET_FOREACH(code, j->errors, it) { @@ -1622,8 +1622,12 @@ static int access_check(sd_journal *j) { err = -PTR_TO_INT(code); assert(err > 0); - if (err != EACCES) - log_warning_errno(err, "Error was encountered while opening journal files: %m"); + if (err == EACCES) + continue; + + log_warning_errno(err, "Error was encountered while opening journal files: %m"); + if (r == 0) + r = -err; } return r; -- cgit v1.2.3-54-g00ecf