Am 05.10.2015 um 13:12 schrieb Michael Biebl: > Am 05.10.2015 um 13:08 schrieb Raphaël Halimi: >> Le 05/10/2015 12:30, Michael Biebl a écrit : >>> But the subdirectories of /var/log/journal have the correct ACL set, right? >> >> Yes, you're right, I just noticed it; but using journalctl as a user >> won't display system messages (only user messages), which is not the >> expected behavior of adding a user in the "adm" group (pre-systemd). >> >> Maybe it's because the system.journal file doesn't have the ACL set ? >> >> raph@arche:~$ getfacl -R /var/log/journal/ >> getfacl : suppression du premier « / » des noms de chemins absolus >> # file: var/log/journal/ >> # owner: root >> # group: systemd-journal >> # flags: -s- >> user::rwx >> group::r-x >> other::r-x >> >> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6 >> # owner: root >> # group: systemd-journal >> # flags: -s- >> user::rwx >> group::r-x >> group:adm:r-x >> mask::r-x >> other::r-x >> default:user::rwx >> default:group::r-x >> default:group:adm:r-x >> default:mask::r-x >> default:other::r-x >> >> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6/user-1000.journal >> # owner: root >> # group: root >> user::rw- >> user:raph:r-- >> group::r-- >> mask::r-- >> other::--- >> >> # file: var/log/journal//3deacfa10d0c169adfdeb36c50522bd6/system.journal >> # owner: root >> # group: root >> user::rw- >> group::r-- >> other::--- >> >> I admit I don't know ACLs very well, but aren't the "default:..." lines >> supposed to mean that the files under there should have these >> permissions too ? > > See > https://github.com/systemd/systemd/commit/8b258a645ae63dff3ab8dde6520d2e770e2a40f1 > > Apparently this was an intended change.
Apparently the files were created before the ACLs have been set for /var/log/journal/3deacfa10d0c169adfdeb36c50522bd6 so the journal files that were created did not inherit the correct ACLs from the parent directory. Possibly you created /var/log/journal or set Storage=persistent, but did *not* reboot the system afterwards, which would trigger systemd-tmpfiles to be run. And once you restart systemd-journald (which can happen by systemd update), the journal files were created without the ACLs set. On next reboot, the systemd.conf tmpfile did apply the ACL for the directory, but it was too late at that point. I wonder if we should fix the documentation to tell people to run systemd-tmpfiles /usr/lib/tmpfiles/systemd.conf immediately after enabling persistent journal. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
