From a1533ad73f099ed7f2c01a69c23ad700fbf249f3 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Wed, 18 Dec 2019 16:09:49 -0800 Subject: [PATCH] [man] note which UID ranges will get user journals Fixes #13926 --- man/journald.conf.xml | 7 +++++-- man/systemd-journald.service.xml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 6c9268f4dc..d16cb18580 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -110,8 +110,11 @@ Controls whether to split up journal files per user, either uid or none. Split journal files are primarily useful for access control: on UNIX/Linux access control is managed per file, and the journal daemon will assign users read access to their journal files. If - uid, all regular users will each get their own journal files, and system users will log to - the system journal. If none, journal files are not split up by user and all messages are + uid, all regular users (with UID outside the range of system users, dynamic service users, + and the nobody user) will each get their own journal files, and system users will log to the system journal. + See Users, Groups, UIDs and GIDs on systemd systems + for more details about UID ranges. + If none, journal files are not split up by user and all messages are instead stored in the single system journal. In this mode unprivileged users generally do not have access to their own log data. Note that splitting up journal files by user is only available for journals stored persistently. If journals are stored on volatile storage (see Storage= above), only a single diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index ea6fb54673..ec9f974f2d 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -200,8 +200,11 @@ systemd-tmpfiles --create --prefix /var/log/journal writable. Adding a user to this group thus enables them to read the journal files. - By default, each logged in user will get their own set of - journal files in /var/log/journal/. These + By default, each user, with a UID outside the range of system users, + dynamic service users, and the nobody user, will get their own set of + journal files in /var/log/journal/. See + Users, Groups, UIDs and GIDs on systemd systems + for more details about UID ranges. These journal files will not be owned by the user, however, in order to avoid that the user can write to them directly. Instead, file system ACLs are used to ensure the user gets read access only.