While a separate group to own the journal files is desirable, which group it is should be tweakable (to the point where it can be set to an existing group, like adm, for systems where that makes sense).
To this end, this patch introduces a --with-journal-group=GROUP option to configure, and uses the supplied value (or systemd-journal, if none specified) as the dedicated group. Signed-off-by: Gergely Nagy <[email protected]> --- configure.ac | 8 ++++++++ man/systemd-journald.service.xml | 7 ++++--- src/journal/journalctl.c | 12 ++++++------ src/journal/journald-server.c | 2 +- 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index 43b8225..47527da 100644 --- a/configure.ac +++ b/configure.ac @@ -793,6 +793,14 @@ AC_ARG_WITH([tty-gid], [AC_DEFINE_UNQUOTED(TTY_GID, [$withval], [GID of the 'tty' group])], []) +AC_ARG_WITH([journal-group], + [AS_HELP_STRING([--with-journal-group=GROUP], + [Specify the group systemd-journal files should belong to])], + [journal_group="$withval"], + [journal_group="systemd-journal"]) + +AC_DEFINE_UNQUOTED(JOURNAL_GROUP, ["$journal_group"], [Group of journal files should belong to])] + AC_ARG_WITH([dbuspolicydir], AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]), [], diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index bc32c8e..5d6c112 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -161,9 +161,10 @@ <refsect1> <title>Access Control</title> - <para>Journal files are by default owned and readable - by the <literal>systemd-journal</literal> system group - (but not writable). Adding a user to this group thus + <para>Unless configured differently, journal files are + by default owned and readable by the + <literal>systemd-journal</literal> system group (but + not writable). Adding a user to this group thus enables her/him to read the journal files.</para> <para>By default, each logged in user will get her/his diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index c90fecd..0171859 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -870,16 +870,16 @@ static int verify(sd_journal *j) { static int access_check(void) { #ifdef HAVE_ACL - if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) { - log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages."); + if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0) { + log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group '%s' can always see messages.", JOURNAL_GROUP); return -EACCES; } - if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0) - log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off."); + if (!arg_quiet && geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0) + log_warning("Showing user generated messages only. Users in the group '%s' can see all messages. Pass -q to turn this notice off.", JOURNAL_GROUP); #else - if (geteuid() != 0 && in_group("systemd-journal") <= 0) { - log_error("No access to messages. Only users in the group 'systemd-journal' can see messages."); + if (geteuid() != 0 && in_group(JOURNAL_GROUP) <= 0) { + log_error("No access to messages. Only users in the group '%s' can see messages.", JOURNAL_GROUP); return -EACCES; } #endif diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index ac565c7..a933662 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) { } static void server_read_file_gid(Server *s) { - const char *g = "systemd-journal"; + const char *g = JOURNAL_GROUP; int r; assert(s); -- 1.7.10.4 _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
