If the /var/log/journal directory is created with rigths 700, the application
of an ACL rules without any primary group right sets it to 0. A chmod 755 on
this file will then only set the ACL mask and let the ACL primary group right
to 0. The directory is then unreadable for the primary group.
This patch explicitly sets the primary group to avoid this problem.
Fixes#5264.
When ACL support is enabled, systemd-tmpfiles-setup service sets the following
ACL entries to the volatile system journal:
$ getfacl /run/log/journal/*/system.journal
getfacl: Removing leading '/' from absolute path names
# file: run/log/journal/xxx/system.journal
# owner: root
# group: systemd-journal
user::rwx
group::r--
group🛞r-x
group:adm:r-x
mask::r-x
other::---
This patch makes sure that the exec bit is not set anymore for the volatile
system journals.
This way, directories created later for containers or for
journald-remote, will be readable by adm & wheel groups by default,
similarly to /var/log/journal/%m itself.
https://github.com/systemd/systemd/issues/1971
Do so only in /run. We shouldn't alter ACLs for existing files in /var,
but only for new files. If the admin made changes to the ACLs they
shouls stay in place.
We should still do recursive ACL changes for files in /run, since those
are not persistent, and will hence lack ACLs on every boot.
Also, /var/log/journal might be quit large, /run/log/journal is usually
not, hence we should avoid the recursive descending on /var, but not on
/run.
Fixes#534
Choose which system users defined in sysusers.d/systemd.conf and files
or directories in tmpfiles.d/systemd.conf, should be provided depending
on comile-time configuration.
