journalctl: improve hint about lack of access for --user-unit=...

When running journalctl --user-unit=foo as an unprivileged user we could get the usual hint: Hint: You are currently not seeing messages from the system and other users. Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. ... But with --user-unit our filter is: (((_UID=0 OR _UID=1000) AND OBJECT_SYSTEMD_USER_UNIT=foo.service) OR ((_UID=0 OR _UID=1000) AND COREDUMP_USER_UNIT=foo.service) OR (_UID=1000 AND USER_UNIT=foo.service) OR (_UID=1000 AND _SYSTEMD_USER_UNIT=foo.service)) so we would never see messages from other users. We could still see messages from the system. In fact, on my machine the only messages with OBJECT_SYSTEMD_USER_UNIT= are from the system: journalctl $(journalctl -F OBJECT_SYSTEMD_USER_UNIT|sed 's/.*/OBJECT_SYSTEMD_USER_UNIT=\0/') Thus, a more correct hint is that we cannot see messages from the system. Make it so. Fixes #7887.
2018-02-19 22:40:26 +01:00 · 2018-02-19 22:40:26 +01:00 · e79d0b59c8
parent 2e10cc5649
commit e79d0b59c8
4 changed files with 15 additions and 12 deletions
--- a/src/coredump/coredumpctl.c
+++ b/src/coredump/coredumpctl.c
@ -1040,7 +1040,7 @@ int main(int argc, char *argv[]) {
                }
        }

-        r = journal_access_check_and_warn(j, arg_quiet);
+        r = journal_access_check_and_warn(j, arg_quiet, true);
        if (r < 0)
                goto end;

--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@ -972,8 +972,7 @@ static int parse_argv(int argc, char *argv[]) {
                return -EINVAL;
        }

-        if (!strv_isempty(arg_system_units) && (arg_journal_type == SD_JOURNAL_CURRENT_USER)) {
-
+        if (!strv_isempty(arg_system_units) && arg_journal_type == SD_JOURNAL_CURRENT_USER) {
                /* Specifying --user and --unit= at the same time makes no sense (as the former excludes the user
                 * journal, but the latter excludes the system journal, thus resulting in empty output). Let's be nice
                 * to users, and automatically turn --unit= into --user-unit= if combined with --user. */
@ -2241,7 +2240,8 @@ int main(int argc, char *argv[]) {
                goto finish;
        }

-        r = journal_access_check_and_warn(j, arg_quiet);
+        r = journal_access_check_and_warn(j, arg_quiet,
+                                          !(arg_journal_type == SD_JOURNAL_CURRENT_USER || arg_user_units));
        if (r < 0)
                goto finish;

--- a/src/shared/journal-util.c
+++ b/src/shared/journal-util.c
@ -28,7 +28,7 @@
 #include "strv.h"
 #include "user-util.h"

-static int access_check_var_log_journal(sd_journal *j) {
+static int access_check_var_log_journal(sd_journal *j, bool want_other_users) {
 #if HAVE_ACL
        _cleanup_strv_free_ char **g = NULL;
        const char* dir;
@ -81,22 +81,25 @@ static int access_check_var_log_journal(sd_journal *j) {
                if (!s)
                        return log_oom();

-                log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
+                log_notice("Hint: You are currently not seeing messages from %s.\n"
                           "      Users in groups '%s' can see all messages.\n"
-                           "      Pass -q to turn off this notice.", s);
+                           "      Pass -q to turn off this notice.",
+                           want_other_users ? "other users and the system" : "the system",
+                           s);
                return 1;
        }
 #endif

        /* If no ACLs were found, print a short version of the message. */
-        log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
+        log_notice("Hint: You are currently not seeing messages from %s.\n"
                   "      Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
-                   "      turn off this notice.");
+                   "      turn off this notice.",
+                   want_other_users ? "other users and the system" : "the system");

        return 1;
 }

-int journal_access_check_and_warn(sd_journal *j, bool quiet) {
+int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users) {
        Iterator it;
        void *code;
        char *path;
@ -113,7 +116,7 @@ int journal_access_check_and_warn(sd_journal *j, bool quiet) {

        if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
                if (!quiet)
-                        (void) access_check_var_log_journal(j);
+                        (void) access_check_var_log_journal(j, want_other_users);

                if (ordered_hashmap_isempty(j->files))
                        r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
--- a/src/shared/journal-util.h
+++ b/src/shared/journal-util.h
@ -26,4 +26,4 @@

 bool journal_field_valid(const char *p, size_t l, bool allow_protected);

-int journal_access_check_and_warn(sd_journal *j, bool quiet);
+int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users);