|
 |
923a60 |
From cf04c51fb2d5ce08a8b8aafec999e2007ef53c83 Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
923a60 |
Date: Sun, 8 Mar 2015 11:04:59 -0400
|
|
|
923a60 |
Subject: [PATCH] journalctl: update hint now that we set ACL everywhere
|
|
|
923a60 |
|
|
|
923a60 |
(cherry picked from commit 05c1853093d8c4e4aa16876b5129b65dac5abd01)
|
|
|
923a60 |
---
|
|
|
923a60 |
src/journal/journalctl.c | 25 +++++++++++--------------
|
|
|
923a60 |
1 file changed, 11 insertions(+), 14 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
|
|
|
923a60 |
index 55c7786331..12c869f5af 100644
|
|
|
923a60 |
--- a/src/journal/journalctl.c
|
|
|
923a60 |
+++ b/src/journal/journalctl.c
|
|
|
923a60 |
@@ -1542,10 +1542,17 @@ static int access_check_var_log_journal(sd_journal *j) {
|
|
|
923a60 |
have_access = in_group("systemd-journal") > 0;
|
|
|
923a60 |
|
|
|
923a60 |
if (!have_access) {
|
|
|
923a60 |
+ const char* dir;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (access("/run/log/journal", F_OK) >= 0)
|
|
|
923a60 |
+ dir = "/run/log/journal";
|
|
|
923a60 |
+ else
|
|
|
923a60 |
+ dir = "/var/log/journal";
|
|
|
923a60 |
+
|
|
|
923a60 |
/* Let's enumerate all groups from the default ACL of
|
|
|
923a60 |
* the directory, which generally should allow access
|
|
|
923a60 |
* to most journal files too */
|
|
|
923a60 |
- r = search_acl_groups(&g, "/var/log/journal/", &have_access);
|
|
|
923a60 |
+ r = search_acl_groups(&g, dir, &have_access);
|
|
|
923a60 |
if (r < 0)
|
|
|
923a60 |
return r;
|
|
|
923a60 |
}
|
|
|
923a60 |
@@ -1571,7 +1578,7 @@ static int access_check_var_log_journal(sd_journal *j) {
|
|
|
923a60 |
return log_oom();
|
|
|
923a60 |
|
|
|
923a60 |
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
|
|
923a60 |
- " Users in the groups '%s' can see all messages.\n"
|
|
|
923a60 |
+ " Users in groups '%s' can see all messages.\n"
|
|
|
923a60 |
" Pass -q to turn off this notice.", s);
|
|
|
923a60 |
}
|
|
|
923a60 |
}
|
|
|
923a60 |
@@ -1595,18 +1602,8 @@ static int access_check(sd_journal *j) {
|
|
|
923a60 |
|
|
|
923a60 |
if (set_contains(j->errors, INT_TO_PTR(-EACCES))) {
|
|
|
923a60 |
#ifdef HAVE_ACL
|
|
|
923a60 |
- /* If /var/log/journal doesn't even exist,
|
|
|
923a60 |
- * unprivileged users have no access at all */
|
|
|
923a60 |
- if (access("/var/log/journal", F_OK) < 0 &&
|
|
|
923a60 |
- geteuid() != 0 &&
|
|
|
923a60 |
- in_group("systemd-journal") <= 0) {
|
|
|
923a60 |
- log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
|
|
|
923a60 |
- "enabled. Users in the 'systemd-journal' group may always access messages.");
|
|
|
923a60 |
- return -EACCES;
|
|
|
923a60 |
- }
|
|
|
923a60 |
-
|
|
|
923a60 |
- /* If /var/log/journal exists, try to pring a nice
|
|
|
923a60 |
- notice if the user lacks access to it */
|
|
|
923a60 |
+ /* If /run/log/journal or /var/log/journal exist, try
|
|
|
923a60 |
+ to pring a nice notice if the user lacks access to it. */
|
|
|
923a60 |
if (!arg_quiet && geteuid() != 0) {
|
|
|
923a60 |
r = access_check_var_log_journal(j);
|
|
|
923a60 |
if (r < 0)
|