Bug#934284: journal sometimes with x-bit, sometimes without
On Mon, Mar 14, 2022 at 05:13:28PM +0100, Michael Biebl wrote: > upstream has closed bug report I created at > > https://github.com/systemd/systemd/issues/22729 > > They argue that everything is working as expected and if aide trips up over > that masked out x-bit it should be aide that needs to be fixed. That fully matches my expectations about system Upstream. aide will be ignoring journal's ACLs in the future if that's what Upstream wants in their wisdom. The bug report will be referenced in the rule. Thanks for your help. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
Am 14.03.22 um 12:32 schrieb Marc Haber: On Mon, Mar 14, 2022 at 11:38:01AM +0100, Michael Biebl wrote: Nowadays I have a persistent journal enabled basically everywhere, which somewhat mitigates this issue as /var/log/journal/ will persist across reboots and new files will always inherit the same ACLs settings. That might apply to the default configuration, yes. That said, I know too little about ACLs to suggest a way how to setup the parent folder differently so new files not getting the (ineffective) x-bit. Maybe ACLs have a construct similiar to umask? It's a bit of an oddity for sure but at least with a persistent journal you would not get this warning from aide I assume as all files would now have an (in-effective) x-bit set? I have no machine running with a persistent journal. I am probably too much an old fart to adjust my finger memory to using journalctl, despite desperately trying for years yet. upstream has closed bug report I created at https://github.com/systemd/systemd/issues/22729 They argue that everything is working as expected and if aide trips up over that masked out x-bit it should be aide that needs to be fixed. OpenPGP_signature Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
On Mon, Mar 14, 2022 at 11:38:01AM +0100, Michael Biebl wrote: > Nowadays I have a persistent journal enabled basically everywhere, which > somewhat mitigates this issue as /var/log/journal/ will persist > across reboots and new files will always inherit the same ACLs settings. That might apply to the default configuration, yes. > That said, I know too little about ACLs to suggest a way how to setup the > parent folder differently so new files not getting the (ineffective) x-bit. Maybe ACLs have a construct similiar to umask? > It's a bit of an oddity for sure but at least with a persistent journal you > would not get this warning from aide I assume as all files would now have an > (in-effective) x-bit set? I have no machine running with a persistent journal. I am probably too much an old fart to adjust my finger memory to using journalctl, despite desperately trying for years yet. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
On Fri, 25 Feb 2022 19:31:21 +0100 Marc Haber wrote: Hi Michael, thanks to some insights from Bastian Blank explaining ACLs, I have the following hypothesis: - System boots up - journald starts - journald creates directories in /run/log without caring much - journald begins logging, creating file without -x bits - systemd-tmpfiles starts - systemd-tmpfiles fixes directory permissions including ACL and defaults settings (cf /usr/lib/tmpfiles.d/systemd.conf) - journald rotates logs - new journal is created - defaults settings on directory are honored now - so the new journal has the x bit set Nowadays I have a persistent journal enabled basically everywhere, which somewhat mitigates this issue as /var/log/journal/ will persist across reboots and new files will always inherit the same ACLs settings. For fun I removed /var/log/journal on a PI and just rebooted it: root@raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# ll * -rw-r-+ 1 root systemd-journal 1130496 14. Mär 11:16 system@4e4fa9683e9041d08a052d753423c783-0001-0005da2af7b5dcad.journal -rw-r-+ 1 root systemd-journal 1130496 14. Mär 11:20 system.journal root@raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# getfacl * # file: system@4e4fa9683e9041d08a052d753423c783-0001-0005da2af7b5dcad.journal # owner: root # group: systemd-journal user::rw- group::r-- group:adm:r-- mask::r-- other::--- # file: system.journal # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- systemd-tmpfiles-setup.service has an explicit After=systemd-journald.service. So your theory would be a reasonable explanation for what we are seeing here. That said, I know too little about ACLs to suggest a way how to setup the parent folder differently so new files not getting the (ineffective) x-bit. It's a bit of an oddity for sure but at least with a persistent journal you would not get this warning from aide I assume as all files would now have an (in-effective) x-bit set? Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
Hi Michael, thanks to some insights from Bastian Blank explaining ACLs, I have the following hypothesis: On Fri, Aug 09, 2019 at 04:16:06PM +0200, Michael Biebl wrote: > I have never seen this behaviour myself on the multitude of systems I > run (laptop, servers, VM, containers) so I don't really have any idea. That would be: - System boots up - journald starts - journald creates directories in /run/log without caring much - journald begins logging, creating file without -x bits - systemd-tmpfiles starts - systemd-tmpfiles fixes directory permissions including ACL and defaults settings (cf /usr/lib/tmpfiles.d/systemd.conf) - journald rotates logs - new journal is created - defaults settings on directory are honored now - so the new journal has the x bit set Can you check whether this might be the case? It would be a good idea to sample the ACLs on /run/log/journal/ before and after journald starts up but before tmpfiles is run. I don't have an idea how to do that. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
On Mon, Feb 03, 2020 at 09:44:19AM +0100, Michael Biebl wrote: > Am 03.02.20 um 09:30 schrieb Marc Haber: > > group::r-x #effective:r-- > > group:adm:r-x #effective:r-- > > Just to be clear: you mean this x bit set for group/group:adm which is > not in effect (in effect is r-- due to the mask) > So is there actually a problem? The problem is that aide notices the changes and duly reports it. And I think it's an unintended change and would like to not being forced to mask that. > Afaics, this is just a result of how the permissions/ACLs are setup for > /run/log/journal/$machineid > > If you create a file via touch in that directory, it should have the > same permissions as the journal files, right? [2/1541]mh@roll:~ $ sudo touch /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo [sudo] password for mh on roll: [3/1542]mh@roll:~ $ ls -al /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/total 9,9M drwxr-s---+ 2 root systemd-journal 100 Feb 3 15:44 ./ drwxr-sr-x 3 root systemd-journal 60 Feb 3 08:48 ../ -rw-r-+ 1 root systemd-journal0 Feb 3 15:44 foo -rw-r-+ 1 root systemd-journal 5,0M Feb 3 09:28 system\@2914964836b94758b67f1e5882bed2d2-0001-00059da724f09f96.journal -rw-r-+ 1 root systemd-journal 5,0M Feb 3 15:44 system.journal [4/1543]mh@roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- [5/1544]mh@roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- [6/1545]mh@roll:~ $ Looks like that, but why are the acls on the rotated file (that should simply be a rename, right?) also changin? Currently, /usr/lib/tmpfiles.d/systemd.conf has: d /run/log 0755 root root - z /run/log/journal 2755 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - a+ /run/log/journal/%m - - - - d:group:adm:r-x a+ /run/log/journal/%m - - - - group:adm:r-x a+ /run/log/journal/%m/*.journal* - - - - group:adm:r-- z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - a+ /var/log/journal- - - - d:group::r-x,d:group:adm:r-x a+ /var/log/journal- - - - group::r-x,group:adm:r-x a+ /var/log/journal/%m - - - - d:group:adm:r-x a+ /var/log/journal/%m - - - - group:adm:r-x a+ /var/log/journal/%m/system.journal - - - - group:adm:r-- d /var/log/private 0700 root root - What would need to change to have the directory directly created with the appropriate permissions that matches the one that gets set in log rotation? I see that we're rapidly approaching a solution. I really appreciate that. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
Am 03.02.20 um 09:44 schrieb Michael Biebl: > Am 03.02.20 um 09:30 schrieb Marc Haber: > >> group::r-x #effective:r-- >> group:adm:r-x #effective:r-- > > Just to be clear: you mean this x bit set for group/group:adm which is > not in effect (in effect is r-- due to the mask) > So is there actually a problem? > > Afaics, this is just a result of how the permissions/ACLs are setup for > /run/log/journal/$machineid > > If you create a file via touch in that directory, it should have the > same permissions as the journal files, right? > > I wonder if the permissions of system.journal are different directly after boot because systemd-tmpfiles has changed them explicitly If I run SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --create --prefix=/run/log/journal I see among others Setting access ACL u::rw-,g::r-x,g:adm:r--,m::r--,o::--- on /run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2/system.journal. Setting access ACL u::rw-,g::r--,g:adm:r--,m::r--,o::--- on /run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2/system@b5595ec413b2491e8abe7287673ba291-0001-00059da7f0b3ea1a.journal. signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
Am 03.02.20 um 09:30 schrieb Marc Haber: > group::r-x #effective:r-- > group:adm:r-x #effective:r-- Just to be clear: you mean this x bit set for group/group:adm which is not in effect (in effect is r-- due to the mask) So is there actually a problem? Afaics, this is just a result of how the permissions/ACLs are setup for /run/log/journal/$machineid If you create a file via touch in that directory, it should have the same permissions as the journal files, right? signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
On Mon, Feb 03, 2020 at 09:04:36AM +0100, Michael Biebl wrote: > You should be able to trigger an explicit rotation by sending the > journald process SIGUSR2 > $ systemctl kill --signal=USR2 systemd-journald.service > > This should make it easier for you to check your theory. Funny, my testsystems come up with the log already rotated: 1 [1/3507]mh@emptybuster84:~ $ ls -lart /run/log/journal/*/ total 1,0M drwxr-sr-x 3 root systemd-journal 60 Feb 3 09:23 ../ drwxr-s---+ 2 root systemd-journal 80 Feb 3 09:23 ./ -rw-r-+ 1 root systemd-journal 512K Feb 3 09:23 system\@df0e6fdb74704597bc1caa52e21c2e51-0001-00059da7a4f87ae4.journal -rw-r-+ 1 root systemd-journal 512K Feb 3 09:26 system.journal and the X bit already set. But here is the proof: 1 [1/1534]mh@roll:~ $ ls -al /run/log/journal/* total 5,0M drwxr-s---+ 2 root systemd-journal 60 Feb 3 08:48 ./ drwxr-sr-x 3 root systemd-journal 60 Feb 3 08:48 ../ -rw-r-+ 1 root systemd-journal 5,0M Feb 3 09:27 system.journal [2/1535]mh@roll:~ $ sudo getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal [sudo] password for mh on roll: getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal # owner: root # group: systemd-journal user::rw- group::r-- group:adm:r-- mask::r-- other::--- [3/1536]mh@roll:~ $ systemctl kill --signal=USR2 systemd-journald.service Failed to kill unit systemd-journald.service: Access denied 1 [4/1537]mh@roll:~ $ sudo systemctl kill --signal=USR2 systemd-journald.service [5/1538]mh@roll:~ $ sudo getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- [6/1539]mh@roll:~ $ This is a not-so-current sid (I have held updating for some days because I didn't want the change to persistent logs affect the debugging) with systemd 244-3. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
Am 03.02.20 um 08:50 schrieb Marc Haber: > So I now suspect that the x bit gets set during the log rotation. What > umask is the process doing the log rotation running with? The rotation is done by journald itself [1] iirc As for the umask: $ systemctl show systemd-journald.service -p UMask UMask=0022 You should be able to trigger an explicit rotation by sending the journald process SIGUSR2 $ systemctl kill --signal=USR2 systemd-journald.service This should make it easier for you to check your theory. Regards, Michael [1] https://salsa.debian.org/systemd-team/systemd/blob/debian/master/src/journal/journald-server.c#L442 https://salsa.debian.org/systemd-team/systemd/blob/debian/master/src/journal/journal-file.c#L3500 signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
On Sat, Feb 01, 2020 at 12:50:55PM +0100, Michael Biebl wrote: > On Sat, 10 Aug 2019 12:37:04 +0200 Marc Haber > wrote: > > Hi Michael, > > > > thanks for your answer. > > > > On Fri, Aug 09, 2019 at 04:16:06PM +0200, Michael Biebl wrote: > > > I have never seen this behaviour myself on the multitude of systems I > > > run (laptop, servers, VM, containers) so I don't really have any idea. > > > > How closely are you watching the ACLs on the journal files? > > > > Forgot to answer here: I simply checked all systems I have acces to. > This was a one-time check and includes a couple of PIs, a few VMs, > containers, a laptop and a server. For some of them, /tmp is on the > root, ext4 file system. Most of them have tmpfs for /tmp (like in your > case). I usually have tmpfs for /tmp, and /run is a tmpfs as well. > I guess once the x-bit has been set, it sticks? Or did it vanish (and > reappear again) after some time, which would mean I'd need to > continuously monitor the file system? The system is booted, no x bit, then at some time, the x bit appears and sticks until the machine is rebooted again. > Btw, does this only affect system.journal or also the files that are > rotated away? E.g. on one of my PIs this look like this > > > root@raspberrypi:~# ls -l > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system* > > -rw-r-+ 1 root systemd-journal 2834432 Jan 24 03:17 > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-0001-00059cbeac13de5a.journal > > -rw-r-+ 1 root systemd-journal 2834432 Jan 27 06:17 > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-063b-00059cd95a64682e.journal > > -rw-r-+ 1 root systemd-journal 2834432 Jan 30 07:22 > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-0e28-00059d1837ab38f0.journal > > -rw-r-+ 1 root systemd-journal 2834432 Feb 1 05:39 > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-1675-00059d557cd266fa.journal > > -rw-r-+ 1 root systemd-journal 2834432 Feb 1 12:43 > > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system.journal Rotation is a very good point. I have one machine that got rebooted on February 2 around 15:00, and my check script reported the x bit on run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal to be reset after that. Then, at 22:20, the report came in that the x bit on run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal was set. 1 [1/2158]mh@oversway:~ $ ls -al /run/log/journal/8f018d505adf4ecaad2720811a888b04/ total 5,0M drwxr-s---+ 2 root systemd-journal 80 Feb 2 22:17 ./ drwxr-sr-x 3 root systemd-journal 60 Feb 2 15:17 ../ -rw-r-+ 1 root systemd-journal 2,5M Feb 2 22:17 system\@caad1846ab564a1c8d59d656f050776e-0001-00059d98777909b1.journal -rw-r-+ 1 root systemd-journal 2,5M Feb 3 08:41 system.journal [2/2159]mh@oversway:~ $ This is consistent with the behavior I have seen on a different box. I will take a closer look at those times now that we have some evidence. So I now suspect that the x bit gets set during the log rotation. What umask is the process doing the log rotation running with? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
On Sat, 10 Aug 2019 12:37:04 +0200 Marc Haber wrote: > Hi Michael, > > thanks for your answer. > > On Fri, Aug 09, 2019 at 04:16:06PM +0200, Michael Biebl wrote: > > I have never seen this behaviour myself on the multitude of systems I > > run (laptop, servers, VM, containers) so I don't really have any idea. > > How closely are you watching the ACLs on the journal files? > Forgot to answer here: I simply checked all systems I have acces to. This was a one-time check and includes a couple of PIs, a few VMs, containers, a laptop and a server. For some of them, /tmp is on the root, ext4 file system. Most of them have tmpfs for /tmp (like in your case). I guess once the x-bit has been set, it sticks? Or did it vanish (and reappear again) after some time, which would mean I'd need to continuously monitor the file system? Btw, does this only affect system.journal or also the files that are rotated away? E.g. on one of my PIs this look like this > root@raspberrypi:~# ls -l > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system* > -rw-r-+ 1 root systemd-journal 2834432 Jan 24 03:17 > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-0001-00059cbeac13de5a.journal > -rw-r-+ 1 root systemd-journal 2834432 Jan 27 06:17 > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-063b-00059cd95a64682e.journal > -rw-r-+ 1 root systemd-journal 2834432 Jan 30 07:22 > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-0e28-00059d1837ab38f0.journal > -rw-r-+ 1 root systemd-journal 2834432 Feb 1 05:39 > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system@ee9cfeba24044e90a191a267c13840a2-1675-00059d557cd266fa.journal > -rw-r-+ 1 root systemd-journal 2834432 Feb 1 12:43 > /run/log/journal/d3670ff77a0bb988a953e7f053a3f4e7/system.journal Can you correlate the change with a cron-entry, systemd timer? Do you use something like tmpreaper? Michael signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
On Sun, Jan 26, 2020 at 01:49:18AM +0100, Michael Biebl wrote: > On Mon, 9 Sep 2019 09:10:39 +0200 Marc Haber > wrote: > > On Sat, Aug 10, 2019 at 12:37:04PM +0200, Marc Haber wrote: > > > Of course not, but no components that I have installed willingly. I'll > > > roll out > > > a monitoring job that runs more often than once daily so that the change > > > gets > > > timed more exactly. Unless I report back, don't bother with more > > > research, it > > > might be a real stupid thing. > > > > Preliminary result is that after a reboot, the journal files seem to be > > created without an x bit, and the x bit is then set some hours later, > > unfortunately without corresponding log entries and not obviously > > related to events happening on the machine. > > > > I'll try to make out a pattern. > > Did you have success with finding out more about this? Other that the issue still happens on nearly all my servers, no. I'll skim the systemd sources for code that might be changing a file's mode in due time. Don't hold your breath though. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
On Mon, 9 Sep 2019 09:10:39 +0200 Marc Haber wrote: > On Sat, Aug 10, 2019 at 12:37:04PM +0200, Marc Haber wrote: > > Of course not, but no components that I have installed willingly. I'll roll > > out > > a monitoring job that runs more often than once daily so that the change > > gets > > timed more exactly. Unless I report back, don't bother with more research, > > it > > might be a real stupid thing. > > Preliminary result is that after a reboot, the journal files seem to be > created without an x bit, and the x bit is then set some hours later, > unfortunately without corresponding log entries and not obviously > related to events happening on the machine. > > I'll try to make out a pattern. Did you have success with finding out more about this? signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
On Sat, Aug 10, 2019 at 12:37:04PM +0200, Marc Haber wrote: > Of course not, but no components that I have installed willingly. I'll roll > out > a monitoring job that runs more often than once daily so that the change gets > timed more exactly. Unless I report back, don't bother with more research, it > might be a real stupid thing. Preliminary result is that after a reboot, the journal files seem to be created without an x bit, and the x bit is then set some hours later, unfortunately without corresponding log entries and not obviously related to events happening on the machine. I'll try to make out a pattern. I'm open to suggestions to nail this. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
On Sat, Aug 10, 2019 at 01:05:50PM +0200, Michael Biebl wrote: > grep "/run/log" /etc/tmpfiles.d/* /usr/lib/tmpfiles.d/* [3/1641]mh@oversway:~ $ sudo grep "/run/log" /etc/tmpfiles.d/* /usr/lib/tmpfiles.d/* grep: /etc/tmpfiles.d/*: No such file or directory /usr/lib/tmpfiles.d/systemd.conf:d /run/log 0755 root root - /usr/lib/tmpfiles.d/systemd.conf:z /run/log/journal 2755 root systemd-journal - - /usr/lib/tmpfiles.d/systemd.conf:Z /run/log/journal/%m ~2750 root systemd-journal - - /usr/lib/tmpfiles.d/systemd.conf:a+ /run/log/journal/%m - - - - d:group:adm:r-x /usr/lib/tmpfiles.d/systemd.conf:a+ /run/log/journal/%m - - - - group:adm:r-x /usr/lib/tmpfiles.d/systemd.conf:a+ /run/log/journal/%m/*.journal* - - - - group:adm:r-- 2 [4/1641]mh@oversway:~ $ Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
Am 10.08.19 um 12:37 schrieb Marc Haber: > Hi Michael, > > thanks for your answer. > > On Fri, Aug 09, 2019 at 04:16:06PM +0200, Michael Biebl wrote: >> I have never seen this behaviour myself on the multitude of systems I >> run (laptop, servers, VM, containers) so I don't really have any idea. > > How closely are you watching the ACLs on the journal files? >> What are the permissions /ACLs on >> >> /run/log/journal/8f018d505adf4ecaad2720811a888b04/ > > [4/1633]mh@oversway:~ $ ls -lad > /run/log/journal/8f018d505adf4ecaad2720811a888b04 > drwxr-s---+ 2 root systemd-journal 200 Aug 10 08:09 > /run/log/journal/8f018d505adf4ecaad2720811a888b04/ > [5/1634]mh@oversway:~ $ sudo getfacl > /run/log/journal/8f018d505adf4ecaad2720811a888b04 > getfacl: Removing leading '/' from absolute path names > # file: run/log/journal/8f018d505adf4ecaad2720811a888b04 > # owner: root > # group: systemd-journal > # flags: -s- > user::rwx > group::r-x > group:adm:r-x > mask::r-x > other::--- > default:user::rwx > default:group::r-x > default:group:adm:r-x > default:mask::r-x > default:other::--- > > [6/1635]mh@oversway:~ $ > >> Do you have any tmpfiles which references files in /run/log ? > > How would I find that out? grep "/run/log" /etc/tmpfiles.d/* /usr/lib/tmpfiles.d/* >> Can you exclude that non-systemd components change the permissions? > > Of course not, but no components that I have installed willingly. I'll roll > out > a monitoring job that runs more often than once daily so that the change gets > timed more exactly. Unless I report back, don't bother with more research, it > might be a real stupid thing. > > Greetings > Marc > -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
Hi Michael, thanks for your answer. On Fri, Aug 09, 2019 at 04:16:06PM +0200, Michael Biebl wrote: > I have never seen this behaviour myself on the multitude of systems I > run (laptop, servers, VM, containers) so I don't really have any idea. How closely are you watching the ACLs on the journal files? > What are the permissions /ACLs on > > /run/log/journal/8f018d505adf4ecaad2720811a888b04/ [4/1633]mh@oversway:~ $ ls -lad /run/log/journal/8f018d505adf4ecaad2720811a888b04 drwxr-s---+ 2 root systemd-journal 200 Aug 10 08:09 /run/log/journal/8f018d505adf4ecaad2720811a888b04/ [5/1634]mh@oversway:~ $ sudo getfacl /run/log/journal/8f018d505adf4ecaad2720811a888b04 getfacl: Removing leading '/' from absolute path names # file: run/log/journal/8f018d505adf4ecaad2720811a888b04 # owner: root # group: systemd-journal # flags: -s- user::rwx group::r-x group:adm:r-x mask::r-x other::--- default:user::rwx default:group::r-x default:group:adm:r-x default:mask::r-x default:other::--- [6/1635]mh@oversway:~ $ > Do you have any tmpfiles which references files in /run/log ? How would I find that out? > Can you exclude that non-systemd components change the permissions? Of course not, but no components that I have installed willingly. I'll roll out a monitoring job that runs more often than once daily so that the change gets timed more exactly. Unless I report back, don't bother with more research, it might be a real stupid thing. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#934284: journal sometimes with x-bit, sometimes without
Am 09.08.19 um 16:16 schrieb Michael Biebl: > Control: tags -1 + moreinfo unreproducible > > Am 09.08.19 um 08:15 schrieb Marc Haber: >> >> I have not fully understood what happens here. I am monitoring my >> filesystems with aide, and sometimes get the following report: >> >> --- >> Changed entries: >> --- >> >> f .... A. : >> /run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal >> >> --- >> Detailed information about changes: >> --- >> >> File: /run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal >> ACL : A: user::rw- | A: user::rw- >> A: group::r--| A: group::r-x >> #effective:r-- >> A: group:adm:r-- | A: group:adm:r-x >> #effective:r-- >> A: mask::r-- | A: mask::r-- >> A: other::---| A: other::--- >> >> This means that the system.journal has grown an x bit since the last >> aide run. This looks to me that the file gets created without the x bit, >> and then the x bit gets added at some later time. >> >> Since the file is not executable, the X bit should not be set in the >> first place. If it's necessary for some magic, then it should be set >> from the beginning. >> >> I am seeing this on more than just a few systems, also on buster and >> sid. I am reporting this from a stretch system just coincidentally, if >> you need information from a more modern system, please let me know. >> >> Can you shed some light on this please? > > I have never seen this behaviour myself on the multitude of systems I > run (laptop, servers, VM, containers) so I don't really have any idea. > > What are the permissions /ACLs on > > /run/log/journal/8f018d505adf4ecaad2720811a888b04/ > > Do you have any tmpfiles which references files in /run/log ? > Can you exclude that non-systemd components change the permissions? The only (slightly) relevant issues I found so far are https://github.com/systemd/systemd/issues/1977 but that concerns user journals only and only persistent journal Also fixed a long time ago. The second is https://github.com/systemd/systemd/commit/d428dd6ac9a56e7b3421fb8ef3aac9937a4a2e62 This is also fixed since v230 unless you have an outdated copy of system.conf installed in /etc which was not updated. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#934284: journal sometimes with x-bit, sometimes without
Control: tags -1 + moreinfo unreproducible Am 09.08.19 um 08:15 schrieb Marc Haber: > > I have not fully understood what happens here. I am monitoring my > filesystems with aide, and sometimes get the following report: > > --- > Changed entries: > --- > > f .... A. : > /run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal > > --- > Detailed information about changes: > --- > > File: /run/log/journal/8f018d505adf4ecaad2720811a888b04/system.journal > ACL : A: user::rw- | A: user::rw- > A: group::r--| A: group::r-x #effective:r-- > A: group:adm:r-- | A: group:adm:r-x > #effective:r-- > A: mask::r-- | A: mask::r-- > A: other::---| A: other::--- > > This means that the system.journal has grown an x bit since the last > aide run. This looks to me that the file gets created without the x bit, > and then the x bit gets added at some later time. > > Since the file is not executable, the X bit should not be set in the > first place. If it's necessary for some magic, then it should be set > from the beginning. > > I am seeing this on more than just a few systems, also on buster and > sid. I am reporting this from a stretch system just coincidentally, if > you need information from a more modern system, please let me know. > > Can you shed some light on this please? I have never seen this behaviour myself on the multitude of systems I run (laptop, servers, VM, containers) so I don't really have any idea. What are the permissions /ACLs on /run/log/journal/8f018d505adf4ecaad2720811a888b04/ Do you have any tmpfiles which references files in /run/log ? Can you exclude that non-systemd components change the permissions? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
