Bug#934284: journal sometimes with x-bit, sometimes without

[Michael Biebl]

On Fri, 25 Feb 2022 19:31:21 +0100 Marc Haber <mh+debian-b...@zugschlus.de> wrote:

Hi Michael,

thanks to some insights from Bastian Blank explaining ACLs, I have the
following hypothesis:

- System boots up
- journald starts
- journald creates directories in /run/log without caring much
- journald begins logging, creating file without -x bits
- systemd-tmpfiles starts
- systemd-tmpfiles fixes directory permissions including ACL and
  defaults settings (cf /usr/lib/tmpfiles.d/systemd.conf)
- journald rotates logs
- new journal is created
- defaults settings on directory are honored now
- so the new journal has the x bit set

For fun I removed /var/log/journal on a PI and just rebooted it:


root@raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# ll *

-rw-r-----+ 1 root systemd-journal 1130496 14. Mär 11:20 system.journal


# owner: root
# group: systemd-journal
user::rw-
group::r--
group:adm:r--
mask::r--
other::---

# file: system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r-x                      #effective:r--
group:adm:r-x                   #effective:r--
mask::r--
other::---

systemd-tmpfiles-setup.service has an explicit




Michael

Nowadays I have a persistent journal enabled basically everywhere, which somewhat mitigates this issue as /var/log/journal/<machineid> will persist across reboots and new files will always inherit the same ACLs settings. -rw-r-----+ 1 root systemd-journal 1130496 14. Mär 11:16 system@4e4fa9683e9041d08a052d753423c783-0000000000000001-0005da2af7b5dcad.journal root@raspberrypi:/run/log/journal/92e74c0bd699cc0d17d48ad852cc73e2# getfacl * # file: system@4e4fa9683e9041d08a052d753423c783-0000000000000001-0005da2af7b5dcad.journal After=systemd-journald.service. So your theory would be a reasonable explanation for what we are seeing here. That said, I know too little about ACLs to suggest a way how to setup the parent folder differently so new files not getting the (ineffective) x-bit. It's a bit of an oddity for sure but at least with a persistent journal you would not get this warning from aide I assume as all files would now have an (in-effective) x-bit set?

OpenPGP_signature
Description: OpenPGP digital signature