diff --git a/Makefile.am b/Makefile.am
index 3d3f2652f6..13211c45bd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2563,9 +2563,16 @@ libsystemd_journal_internal_la_LIBADD += \
$(GCRYPT_LIBS)
endif
-# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
+# move lib from $(libdir) to $(rootlibdir) and update devel link, if
+# needed. Also, grant read access to new journal files to members of
+# "adm" and "wheel".
libsystemd-journal-install-hook:
libname=libsystemd-journal.so && $(move-to-rootlibdir)
+ $(MKDIR_P) $(DESTDIR)/var/log/journal
+ -chown 0:0 $(DESTDIR)/var/log/journal
+ -chmod 755 $(DESTDIR)/var/log/journal
+ -setfacl -nm g:adm:rx,d:g:adm:rx $(DESTDIR)/var/log/journal/
+ -setfacl -nm g:wheel:rx,d:g:wheel:rx $(DESTDIR)/var/log/journal/
libsystemd-journal-uninstall-hook:
rm -f $(DESTDIR)$(rootlibdir)/libsystemd-journal.so*
diff --git a/README b/README
index d8b1b1296a..300a4cf8bc 100644
--- a/README
+++ b/README
@@ -100,6 +100,19 @@ REQUIREMENTS:
being 'html' or 'latexpdf'. If using DESTDIR for installation,
pass the same DESTDIR to 'make sphinx-html' invocation.
+USERS AND GROUPS:
+ During runtime the journal daemon requires the
+ "system-journal" system group to exist. New journal files will
+ be readable by this group (but not writable) which may be used
+ to grant specific users read access.
+
+ It is also recommended to grant read access to all journal
+ files to the system groups "wheel" and "adm" with a command
+ like the following in the post installation script of the
+ package:
+
+ # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
WARNINGS:
systemd will warn you during boot if /etc/mtab is not a
symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 4969ab19c3..bc32c8e38b 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -158,6 +158,38 @@
+
+ Access Control
+
+ Journal files are by default owned and readable
+ by the systemd-journal system group
+ (but not writable). Adding a user to this group thus
+ enables her/him to read the journal files.
+
+ By default, each logged in user will get her/his
+ own set of journal files in
+ /var/log/journal/. These files
+ will not be owned by the user however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.
+
+ Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ wheel and adm
+ system groups with a command such as the
+ following:
+
+ # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
+ Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ /var/log/journal/
+ directory.
+
See Also
@@ -166,7 +198,8 @@
journalctl1,
journald.conf5,
systemd.journal-fields7,
- sd-journal3
+ sd-journal3,
+ setfacl1
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index d898ae7179..cb93fea63b 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -870,16 +870,16 @@ static int verify(sd_journal *j) {
static int access_check(void) {
#ifdef HAVE_ACL
- if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) {
- log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages.");
+ if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
+ log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
return -EACCES;
}
- if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
- log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off.");
+ if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
+ log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
#else
- if (geteuid() != 0 && in_group("adm") <= 0) {
- log_error("No access to messages. Only users in the group 'adm' can see messages.");
+ if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
+ log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");
return -EACCES;
}
#endif
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 654f7ace21..ac565c7ece 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) {
}
static void server_read_file_gid(Server *s) {
- const char *adm = "adm";
+ const char *g = "systemd-journal";
int r;
assert(s);
@@ -182,9 +182,9 @@ static void server_read_file_gid(Server *s) {
if (s->file_gid_valid)
return;
- r = get_group_creds(&adm, &s->file_gid);
+ r = get_group_creds(&g, &s->file_gid);
if (r < 0)
- log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+ log_warning("Failed to resolve '%s' group: %s", g, strerror(-r));
/* if we couldn't read the gid, then it will be 0, but that's
* fine and we shouldn't try to resolve the group again, so