picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

journalctl: rework code that checks whether we have access to /var/log/journal

Browse source 
- fix some memory leaks on error conditions

- handle all error cases properly, and log about failures

- move HAVE_ACL and no-HAVE_ACL code closer to each other
This commit is contained in:
Lennart Poettering 2015-04-22 22:54:23 +02:00
parent 0a02157831
commit e346512c68
3 changed files with 124 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
src/journal/journalctl.c
View file

@ -1524,62 +1524,77 @@ static int verify(sd_journal *j) {
return r;
}
#ifdef HAVE_ACL
static int access_check_var_log_journal(sd_journal *j) {
#ifdef HAVE_ACL
_cleanup_strv_free_ char **g = NULL;
bool have_access;
const char* dir;
#endif
int r;
assert(j);
have_access = in_group("systemd-journal") > 0;
if (arg_quiet)
return 0;
if (!have_access) {
const char* dir;
/* If we are root, we should have access, don't warn. */
if (getuid() == 0)
return 0;
if (access("/run/log/journal", F_OK) >= 0)
dir = "/run/log/journal";
else
dir = "/var/log/journal";
/* If we are in the 'systemd-journal' group, we should have
* access too. */
r = in_group("systemd-journal");
if (r < 0)
return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
if (r > 0)
return 0;
/* Let's enumerate all groups from the default ACL of
* the directory, which generally should allow access
* to most journal files too */
r = search_acl_groups(&g, dir, &have_access);
#ifdef HAVE_ACL
if (laccess("/run/log/journal", F_OK) >= 0)
dir = "/run/log/journal";
else
dir = "/var/log/journal";
/* If we are in any of the groups listed in the journal ACLs,
* then all is good, too. Let's enumerate all groups from the
* default ACL of the directory, which generally should allow
* access to most journal files too. */
r = acl_search_groups(dir, &g);
if (r < 0)
return log_error_errno(r, "Failed to search journal ACL: %m");
if (r > 0)
return 0;
/* Print a pretty list, if there were ACLs set. */
if (!strv_isempty(g)) {
_cleanup_free_ char *s = NULL;
/* Thre are groups in the ACL, let's list them */
r = strv_extend(&g, "systemd-journal");
if (r < 0)
return r;
return log_oom();
strv_sort(g);
strv_uniq(g);
s = strv_join(g, "', '");
if (!s)
return log_oom();
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
" Users in groups '%s' can see all messages.\n"
" Pass -q to turn off this notice.", s);
return 1;
}
if (!have_access) {
if (strv_isempty(g))
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
" turn off this notice.");
else {
_cleanup_free_ char *s = NULL;
r = strv_extend(&g, "systemd-journal");
if (r < 0)
return log_oom();
strv_sort(g);
strv_uniq(g);
s = strv_join(g, "', '");
if (!s)
return log_oom();
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
" Users in groups '%s' can see all messages.\n"
" Pass -q to turn off this notice.", s);
}
}
return 0;
}
#endif
/* If no ACLs were found, print a short version of the message. */
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
" turn off this notice.");
return 1;
}
static int access_check(sd_journal *j) {
Iterator it;
void *code;
@ -1590,30 +1605,15 @@ static int access_check(sd_journal *j) {
if (set_isempty(j->errors)) {
if (ordered_hashmap_isempty(j->files))
log_notice("No journal files were found.");
return 0;
}
if (set_contains(j->errors, INT_TO_PTR(-EACCES))) {
#ifdef HAVE_ACL
/* If /run/log/journal or /var/log/journal exist, try
to pring a nice notice if the user lacks access to it. */
if (!arg_quiet && geteuid() != 0) {
r = access_check_var_log_journal(j);
if (r < 0)
return r;
}
#else
if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
"group may access messages.");
return -EACCES;
}
#endif
(void) access_check_var_log_journal(j);
if (ordered_hashmap_isempty(j->files)) {
log_error("No journal files were opened due to insufficient permissions.");
r = -EACCES;
}
if (ordered_hashmap_isempty(j->files))
r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
}
SET_FOREACH(code, j->errors, it) {
@ -1622,8 +1622,12 @@ static int access_check(sd_journal *j) {
err = -PTR_TO_INT(code);
assert(err > 0);
if (err != EACCES)
log_warning_errno(err, "Error was encountered while opening journal files: %m");
if (err == EACCES)
continue;
log_warning_errno(err, "Error was encountered while opening journal files: %m");
if (r == 0)
r = -err;
}
return r;

100
src/shared/acl-util.c
View file

@ -81,17 +81,18 @@ int calc_acl_mask_if_needed(acl_t *acl_p) {
if (tag == ACL_MASK)
return 0;
if (IN_SET(tag, ACL_USER, ACL_GROUP))
goto calc;
if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
if (acl_calc_mask(acl_p) < 0)
return -errno;
return 1;
}
}
if (r < 0)
return -errno;
return 0;
calc:
if (acl_calc_mask(acl_p) < 0)
return -errno;
return 1;
return 0;
}
int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
@ -158,59 +159,68 @@ int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
return 0;
}
int search_acl_groups(char*** dst, const char* path, bool* belong) {
acl_t acl;
int acl_search_groups(const char *path, char ***ret_groups) {
_cleanup_strv_free_ char **g = NULL;
_cleanup_(acl_free) acl_t acl = NULL;
bool ret = false;
acl_entry_t entry;
int r;
assert(path);
assert(belong);
acl = acl_get_file(path, ACL_TYPE_DEFAULT);
if (acl) {
acl_entry_t entry;
int r;
if (!acl)
return -errno;
r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
while (r > 0) {
acl_tag_t tag;
gid_t *gid;
char *name;
r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
for (;;) {
_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
acl_tag_t tag;
r = acl_get_tag_type(entry, &tag);
if (r < 0)
break;
if (r < 0)
return -errno;
if (r == 0)
break;
if (tag != ACL_GROUP)
goto next;
if (acl_get_tag_type(entry, &tag) < 0)
return -errno;
gid = acl_get_qualifier(entry);
if (!gid)
break;
if (tag != ACL_GROUP)
goto next;
if (in_gid(*gid) > 0) {
*belong = true;
break;
}
gid = acl_get_qualifier(entry);
if (!gid)
return -errno;
name = gid_to_name(*gid);
if (!name) {
acl_free(acl);
return log_oom();
}
if (in_gid(*gid) > 0) {
if (!ret_groups)
return true;
r = strv_consume(dst, name);
if (r < 0) {
acl_free(acl);
return log_oom();
}
next:
r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
ret = true;
}
acl_free(acl);
if (ret_groups) {
char *name;
name = gid_to_name(*gid);
if (!name)
return -ENOMEM;
r = strv_consume(&g, name);
if (r < 0)
return r;
}
next:
r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
}
return 0;
if (ret_groups) {
*ret_groups = g;
g = NULL;
}
return ret;
}
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {

2
src/shared/acl-util.h
View file

@ -32,7 +32,7 @@
int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry);
int calc_acl_mask_if_needed(acl_t *acl_p);
int add_base_acls_if_needed(acl_t *acl_p, const char *path);
int search_acl_groups(char*** dst, const char* path, bool* belong);
int acl_search_groups(const char* path, char ***ret_groups);
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask);
int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl);