journalctl: rework code that checks whether we have access to /var/log/journal
- fix some memory leaks on error conditions - handle all error cases properly, and log about failures - move HAVE_ACL and no-HAVE_ACL code closer to each other
This commit is contained in:
parent
0a02157831
commit
e346512c68
|
@ -1524,62 +1524,77 @@ static int verify(sd_journal *j) {
|
|||
return r;
|
||||
}
|
||||
|
||||
#ifdef HAVE_ACL
|
||||
static int access_check_var_log_journal(sd_journal *j) {
|
||||
#ifdef HAVE_ACL
|
||||
_cleanup_strv_free_ char **g = NULL;
|
||||
bool have_access;
|
||||
const char* dir;
|
||||
#endif
|
||||
int r;
|
||||
|
||||
assert(j);
|
||||
|
||||
have_access = in_group("systemd-journal") > 0;
|
||||
if (arg_quiet)
|
||||
return 0;
|
||||
|
||||
if (!have_access) {
|
||||
const char* dir;
|
||||
/* If we are root, we should have access, don't warn. */
|
||||
if (getuid() == 0)
|
||||
return 0;
|
||||
|
||||
if (access("/run/log/journal", F_OK) >= 0)
|
||||
dir = "/run/log/journal";
|
||||
else
|
||||
dir = "/var/log/journal";
|
||||
/* If we are in the 'systemd-journal' group, we should have
|
||||
* access too. */
|
||||
r = in_group("systemd-journal");
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
|
||||
if (r > 0)
|
||||
return 0;
|
||||
|
||||
/* Let's enumerate all groups from the default ACL of
|
||||
* the directory, which generally should allow access
|
||||
* to most journal files too */
|
||||
r = search_acl_groups(&g, dir, &have_access);
|
||||
#ifdef HAVE_ACL
|
||||
if (laccess("/run/log/journal", F_OK) >= 0)
|
||||
dir = "/run/log/journal";
|
||||
else
|
||||
dir = "/var/log/journal";
|
||||
|
||||
/* If we are in any of the groups listed in the journal ACLs,
|
||||
* then all is good, too. Let's enumerate all groups from the
|
||||
* default ACL of the directory, which generally should allow
|
||||
* access to most journal files too. */
|
||||
r = acl_search_groups(dir, &g);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to search journal ACL: %m");
|
||||
if (r > 0)
|
||||
return 0;
|
||||
|
||||
/* Print a pretty list, if there were ACLs set. */
|
||||
if (!strv_isempty(g)) {
|
||||
_cleanup_free_ char *s = NULL;
|
||||
|
||||
/* Thre are groups in the ACL, let's list them */
|
||||
r = strv_extend(&g, "systemd-journal");
|
||||
if (r < 0)
|
||||
return r;
|
||||
return log_oom();
|
||||
|
||||
strv_sort(g);
|
||||
strv_uniq(g);
|
||||
|
||||
s = strv_join(g, "', '");
|
||||
if (!s)
|
||||
return log_oom();
|
||||
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
" Users in groups '%s' can see all messages.\n"
|
||||
" Pass -q to turn off this notice.", s);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (!have_access) {
|
||||
|
||||
if (strv_isempty(g))
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
|
||||
" turn off this notice.");
|
||||
else {
|
||||
_cleanup_free_ char *s = NULL;
|
||||
|
||||
r = strv_extend(&g, "systemd-journal");
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
||||
strv_sort(g);
|
||||
strv_uniq(g);
|
||||
|
||||
s = strv_join(g, "', '");
|
||||
if (!s)
|
||||
return log_oom();
|
||||
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
" Users in groups '%s' can see all messages.\n"
|
||||
" Pass -q to turn off this notice.", s);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* If no ACLs were found, print a short version of the message. */
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
|
||||
" turn off this notice.");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int access_check(sd_journal *j) {
|
||||
Iterator it;
|
||||
void *code;
|
||||
|
@ -1590,30 +1605,15 @@ static int access_check(sd_journal *j) {
|
|||
if (set_isempty(j->errors)) {
|
||||
if (ordered_hashmap_isempty(j->files))
|
||||
log_notice("No journal files were found.");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (set_contains(j->errors, INT_TO_PTR(-EACCES))) {
|
||||
#ifdef HAVE_ACL
|
||||
/* If /run/log/journal or /var/log/journal exist, try
|
||||
to pring a nice notice if the user lacks access to it. */
|
||||
if (!arg_quiet && geteuid() != 0) {
|
||||
r = access_check_var_log_journal(j);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
#else
|
||||
if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
|
||||
log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
|
||||
"group may access messages.");
|
||||
return -EACCES;
|
||||
}
|
||||
#endif
|
||||
(void) access_check_var_log_journal(j);
|
||||
|
||||
if (ordered_hashmap_isempty(j->files)) {
|
||||
log_error("No journal files were opened due to insufficient permissions.");
|
||||
r = -EACCES;
|
||||
}
|
||||
if (ordered_hashmap_isempty(j->files))
|
||||
r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
|
||||
}
|
||||
|
||||
SET_FOREACH(code, j->errors, it) {
|
||||
|
@ -1622,8 +1622,12 @@ static int access_check(sd_journal *j) {
|
|||
err = -PTR_TO_INT(code);
|
||||
assert(err > 0);
|
||||
|
||||
if (err != EACCES)
|
||||
log_warning_errno(err, "Error was encountered while opening journal files: %m");
|
||||
if (err == EACCES)
|
||||
continue;
|
||||
|
||||
log_warning_errno(err, "Error was encountered while opening journal files: %m");
|
||||
if (r == 0)
|
||||
r = -err;
|
||||
}
|
||||
|
||||
return r;
|
||||
|
|
|
@ -81,17 +81,18 @@ int calc_acl_mask_if_needed(acl_t *acl_p) {
|
|||
|
||||
if (tag == ACL_MASK)
|
||||
return 0;
|
||||
if (IN_SET(tag, ACL_USER, ACL_GROUP))
|
||||
goto calc;
|
||||
|
||||
if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
|
||||
if (acl_calc_mask(acl_p) < 0)
|
||||
return -errno;
|
||||
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
if (r < 0)
|
||||
return -errno;
|
||||
return 0;
|
||||
|
||||
calc:
|
||||
if (acl_calc_mask(acl_p) < 0)
|
||||
return -errno;
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
|
||||
|
@ -158,59 +159,68 @@ int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
int search_acl_groups(char*** dst, const char* path, bool* belong) {
|
||||
acl_t acl;
|
||||
int acl_search_groups(const char *path, char ***ret_groups) {
|
||||
_cleanup_strv_free_ char **g = NULL;
|
||||
_cleanup_(acl_free) acl_t acl = NULL;
|
||||
bool ret = false;
|
||||
acl_entry_t entry;
|
||||
int r;
|
||||
|
||||
assert(path);
|
||||
assert(belong);
|
||||
|
||||
acl = acl_get_file(path, ACL_TYPE_DEFAULT);
|
||||
if (acl) {
|
||||
acl_entry_t entry;
|
||||
int r;
|
||||
if (!acl)
|
||||
return -errno;
|
||||
|
||||
r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
|
||||
while (r > 0) {
|
||||
acl_tag_t tag;
|
||||
gid_t *gid;
|
||||
char *name;
|
||||
r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
|
||||
for (;;) {
|
||||
_cleanup_(acl_free_gid_tpp) gid_t *gid = NULL;
|
||||
acl_tag_t tag;
|
||||
|
||||
r = acl_get_tag_type(entry, &tag);
|
||||
if (r < 0)
|
||||
break;
|
||||
if (r < 0)
|
||||
return -errno;
|
||||
if (r == 0)
|
||||
break;
|
||||
|
||||
if (tag != ACL_GROUP)
|
||||
goto next;
|
||||
if (acl_get_tag_type(entry, &tag) < 0)
|
||||
return -errno;
|
||||
|
||||
gid = acl_get_qualifier(entry);
|
||||
if (!gid)
|
||||
break;
|
||||
if (tag != ACL_GROUP)
|
||||
goto next;
|
||||
|
||||
if (in_gid(*gid) > 0) {
|
||||
*belong = true;
|
||||
break;
|
||||
}
|
||||
gid = acl_get_qualifier(entry);
|
||||
if (!gid)
|
||||
return -errno;
|
||||
|
||||
name = gid_to_name(*gid);
|
||||
if (!name) {
|
||||
acl_free(acl);
|
||||
return log_oom();
|
||||
}
|
||||
if (in_gid(*gid) > 0) {
|
||||
if (!ret_groups)
|
||||
return true;
|
||||
|
||||
r = strv_consume(dst, name);
|
||||
if (r < 0) {
|
||||
acl_free(acl);
|
||||
return log_oom();
|
||||
}
|
||||
|
||||
next:
|
||||
r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
|
||||
ret = true;
|
||||
}
|
||||
|
||||
acl_free(acl);
|
||||
if (ret_groups) {
|
||||
char *name;
|
||||
|
||||
name = gid_to_name(*gid);
|
||||
if (!name)
|
||||
return -ENOMEM;
|
||||
|
||||
r = strv_consume(&g, name);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
next:
|
||||
r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry);
|
||||
}
|
||||
|
||||
return 0;
|
||||
if (ret_groups) {
|
||||
*ret_groups = g;
|
||||
g = NULL;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry);
|
||||
int calc_acl_mask_if_needed(acl_t *acl_p);
|
||||
int add_base_acls_if_needed(acl_t *acl_p, const char *path);
|
||||
int search_acl_groups(char*** dst, const char* path, bool* belong);
|
||||
int acl_search_groups(const char* path, char ***ret_groups);
|
||||
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask);
|
||||
int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl);
|
||||
|
||||
|
|
Loading…
Reference in a new issue