On Wed, Jun 11, 2014 at 10:53:53AM +0200, Lennart Poettering wrote: > On Mon, 09.06.14 20:05, Jan Alexander Steffens (heftig) > (jan.steff...@gmail.com) wrote: > > > They shouldn't be executable nor world-readable. > > I have now committed a different set of patches to clean this up for > good: > > > > > > I have made "m" a true alias of "z" since it was pretty much a > non-globbing version of "z", and hence redundant. I have also removed > "m" from the docs, so that people use only "z" from now on. > > > > I have also introduced a new syntax for access modes: if the access mode > is prefixed with "~" it will be masked by the executability, > readability, and writability of the existing node. Also, the > suid/sgid/sticky bits will be masked if the existing node is a > directory. This makes "Z" a lot more useful, for recursively applying > access modes. > > > > Then, I have changed journald to always create /run/log/journal/%m as > 0750 (i.e. dropped world-readability), so that unpriviliged processes > don't even get access to the dir at all. /var/log/journal/%m keeps the > 0755 however, since on /var we do the per-user ACL magic, and hence > unpriviliged users need read access to the dir after all... > > I have also downgraded the Z to z for /var/log/journal/%m, since that > might get expensive, since there might be a lot of files in there. Also, > given the we never write to the dir befor tmpfiles ran (and thus the > sgid bit was set) it appears unnecessary to recursively adjust the > mode/user/group of all files in the dir. This is different for > /run/log/journal/%m of course, since that is volatile, and we start > writing to it very early on. > > This should settle all the confusion and chaos around the handling of > the journal files in tmpfiles. Please test if everything works correctly > now!
Nice, that sounds like a much better change. I'll test this all out soon to make sure a "first boot on a clean system" works properly. thanks, greg k-h _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
