journal: make gatewayd run under its own user ID

README

@@ -101,11 +101,12 @@ REQUIREMENTS:
         pass the same DESTDIR to 'make sphinx-html' invocation.
 
 USERS AND GROUPS:
-        Default udev rules use the following standard system group names,\
+        Default udev rules use the following standard system group
-        which need to be resolvable by getgrnam() at any time, even in the
+        names, which need to be resolvable by getgrnam() at any time,
-        very early boot stages, where no other databases and network is
+        even in the very early boot stages, where no other databases
-        available:
+        and network are available:
-          tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
+
+        tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
 
         During runtime the journal daemon requires the
         "system-journal" system group to exist. New journal files will
@@ -119,6 +120,11 @@ USERS AND GROUPS:
 
         # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
 
+        The journal gateway daemon requires the
+        "system-journal-gateway" system user and group to
+        exist. During execution this network facing service will drop
+        privileges and assume this uid/gid for security reasons.
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a

units/systemd-journal-gatewayd.service.in

@@ -11,6 +11,9 @@ Requires=systemd-journal-gatewayd.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+User=systemd-journal-gateway
+Group=systemd-journal-gateway
+SupplementaryGroups=systemd-journal
 
 [Install]
 Also=systemd-journal-gatewayd.socket