Bug#778656: Malformed access ACL
Control: tag -1 - unreproducible moreinfo Am 18.02.2015 um 07:27 schrieb Martin Pitt: Control: tag -1 unreproducible moreinfo Hey Michael, I tried to reproduce this in various ways. I created a persistant journal under 215-12, rebooted, upgraded to 219-1, dpkg-reconfigured, apt-get install --reinstall'ed, etc., but I can't get this to happen. Here are the steps to reproduce: Assume you have created /var/log/journal in the past, then systemd.postinst will have applied the ACL (or you followed the instructions in README.Debian): # remove existing /var/log/journal $ rm -rf /var/log/journal $ install -d -g systemd-journal /var/log/journal $ setfacl -R -nm g:adm:rx,d:g:adm:rx /var/log/journal # simulate a reboot $ systemctl restart systemd-journald.service $ getfacl /var/log/journal/567a68a5c2672114bcf5192d0008/system.journal getfacl: Entferne führende '/' von absoluten Pfadnamen # file: var/log/journal/567a68a5c2672114bcf5192d0008/system.journal # owner: root # group: root user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- # Apply the ACLs shipped by systemd (which would happen on next reboot) $ systemd-tmpfiles --create /usr/lib/tmpfiles.d/systemd.conf $ getfacl /var/log/journal/567a68a5c2672114bcf5192d0008/system.journal getfacl: Entferne führende '/' von absoluten Pfadnamen # file: var/log/journal/567a68a5c2672114bcf5192d0008/system.journal # owner: root # group: root user::rw- group::r-x group:adm:r-x group:adm:r-x mask::r-x other::--- # Note the duplicate adm group # Upgrade systemd i.e. re-run systemd.postinst $ dpkg-reconfigure systemd setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008: Malformed access ACL `user::rwx,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::r-x': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/system.journal: Malformed access ACL `user::rw-,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-1000.journal: Malformed access ACL `user::rw-,user:michael:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 et voila! The problem apparently comes from systemd.conf and our existing postinst/README.Debian using different ACLs, leading to the duplicate group:adm entry when both are applied. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#778656: Malformed access ACL
Control: tag -1 confirmed upstream Control: forwarded -1 https://bugs.freedesktop.org/show_bug.cgi?id=89202 Hello Michael, thanks for the clarifications! I confirmed and forwarded this upstream. Related to this, I removed the setfacl call from the postinst, as it's redundant now: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=experimentalid=03497b4ae This avoids the noise during package install/upgrade, but of course is not an actual fix for the underlying issue, so that doesn't close this bug yet. Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
Bug#778656: Malformed access ACL
Am 18.02.2015 um 12:35 schrieb Michael Biebl: The problem apparently comes from systemd.conf and our existing postinst/README.Debian using different ACLs, leading to the duplicate group:adm entry when both are applied. Oh, it actually might be a different issue. systemd-tmpfiles will happily create duplicate ACL entries, e.g. try to run systemd-tmpfiles --create /usr/lib/tmpfiles.d/systemd.conf 5 times in a row, and you'll have 5 group:adm:r-x entries. Running setfacl (as used in postinst or in README.Debian) is more picky and will complain. I'd say this is a bug in systemd-tmpfiles. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#778656: Malformed access ACL
Package: systemd Version: 219-1 Severity: important I do have persistent logging enabled. After the update to 219-1, I get the following messages on dpkg-reconfigure -a systemd # dpkg-reconfigure systemd setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008: Malformed access ACL `user::rwx,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::r-x': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/system@718656154e1546fcb5d438a9edf3155f-0026448b-00050de41b746eac.journal: Malformed access ACL `user::rw-,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-65534@8ebf0fb523894a288a10e73985268fd3-00210822-00050b7271af4e5f.journal: Malformed access ACL `user::rw-,user:nobody:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-109.journal: Malformed access ACL `user::rw-,user:Debian-gdm:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::r--': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-1000@00050e6501bfa725-1728cb2f60eede7c.journal~: Malformed access ACL `user::rw-,user:michael:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-1001.journal: Malformed access ACL `user::rw-,user:test:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-1000@690216233b624f11a2201e9f98176515-0021f2f2-00050c4b51fd09dc.journal: Malformed access ACL `user::rw-,user:michael:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/system@00050e650144ab12-15158e9a9df4f071.journal~: Malformed access ACL `user::rw-,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/system@718656154e1546fcb5d438a9edf3155f-0001-00050c4b51788fe4.journal: Malformed access ACL `user::rw-,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-65534.journal: Malformed access ACL `user::rw-,user:nobody:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/system.journal: Malformed access ACL `user::rw-,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 4 setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008/user-1000.journal: Malformed access ACL `user::rw-,user:michael:r--,group::r-x,group:adm:r-x,group:adm:r-x,mask::r-x,other::---': Duplicate entries at entry 5 root@pluto:~# ls -la /var/log/journal/ total 32 drwxr-sr-x+ 3 root systemd-journal 4096 Feb 18 00:37 . drwxr-xr-x. 22 root root12288 Feb 17 23:08 .. drwxr-sr-x+ 2 root systemd-journal 12288 Feb 6 06:51 567a68a5c2672114bcf5192d0008 root@pluto:~# ls -la /var/log/journal/567a68a5c2672114bcf5192d0008/ total 426072 drwxr-sr-x+ 2 root systemd-journal 12288 Feb 6 06:51 . drwxr-sr-x+ 3 root systemd-journal 4096 Feb 18 00:37 .. -rw-r-x---+ 1 root systemd-journal 67108864 Feb 18 00:38 system.journal -rw-r-x---+ 1 root systemd-journal 25165824 Feb 6 06:50 system@00050e650144ab12-15158e9a9df4f071.journal~ -rw-r-x---+ 1 root systemd-journal 134217728 Jan 30 21:04 system@718656154e1546fcb5d438a9edf3155f-0001-00050c4b51788fe4.journal -rw-r-x---+ 1 root systemd-journal 33554432 Feb 5 16:08 system@718656154e1546fcb5d438a9edf3155f-0026448b-00050de41b746eac.journal -rw-r-x---+ 1 root systemd-journal 41943040 Feb 18 00:37 user-1000.journal -rw-r-x---+ 1 root systemd-journal 8388608 Feb 6 06:51 user-1000@00050e6501bfa725-1728cb2f60eede7c.journal~ -rw-r-x---+ 1 root systemd-journal 92274688 Feb 5 16:08 user-1000@690216233b624f11a2201e9f98176515-0021f2f2-00050c4b51fd09dc.journal -rw-r-x---+ 1 root systemd-journal 8388608 Feb 16 17:31 user-1001.journal -rw-r-xr--+ 1 root systemd-journal 8388608 Sep 13 02:27 user-109.journal -rw-r-x---+ 1 root systemd-journal 8388608 Feb 17 23:13 user-65534.journal -rw-r-x---+ 1 root systemd-journal 8388608 Feb 5 16:08 user-65534@8ebf0fb523894a288a10e73985268fd3-00210822-00050b7271af4e5f.journal root@pluto:~# getfacl /var/log/journal/567a68a5c2672114bcf5192d0008/system.journal getfacl: Removing leading '/' from absolute path names # file: var/log/journal/567a68a5c2672114bcf5192d0008/system.journal # owner: root # group: systemd-journal user::rw- group::r-x group:adm:r-x group:adm:r-x mask::r-x other::---
Bug#778656: Malformed access ACL
Control: tag -1 unreproducible moreinfo Hey Michael, I tried to reproduce this in various ways. I created a persistant journal under 215-12, rebooted, upgraded to 219-1, dpkg-reconfigured, apt-get install --reinstall'ed, etc., but I can't get this to happen. Michael Biebl [2015-02-18 0:40 +0100]: # dpkg-reconfigure systemd setfacl: /var/log/journal/567a68a5c2672114bcf5192d0008: Malformed access ACL I'm quite sure this comes from our postinst: | if [ -d /var/log/journal ]; then | # Grant read access to /var/log/journal for members of the adm group | # via a filesystem ACL. This makes them able to read the journal. | # Failure is ignored since there might be file systems mounted without | # ACL support. | setfacl -R -nm g:adm:rx,d:g:adm:rx /var/log/journal || true | fi Can you confirm this? I. e. do you still get this error if you reconfigure/reinstall again? Does dropping this postinst snippet fix it? We can drop it now, as tmpfiles.d/systemd.conf now automatically adds an adm ACL to /var/log/journal and /run/log/journal/. I just updated README.Debian in git accordingly. But I'd like you to confirm that this indeed fixes the clutter, or whether that's coming from systemd-tmpfiles itself. getfacl: Removing leading '/' from absolute path names # file: var/log/journal/567a68a5c2672114bcf5192d0008/system.journal # owner: root # group: systemd-journal user::rw- group::r-x group:adm:r-x group:adm:r-x ^ That's the bit that I can't reproduce. If I call setfacl, or let tmpfiles.d do its thing, I never get this duplicate ACL. Do you still remember how you managed to get this? Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature
