Bug 70866

Summary:	[systemd-journald][208] User in systemd-journal group can't access journal if it's in volatile storage only
Product:	systemd	Reporter:	reztho
Component:	general	Assignee:	Zbigniew Jedrzejewski-Szmek <zbyszek>
Status:	RESOLVED FIXED	QA Contact:	systemd-bugs
Severity:	minor
Priority:	low	CC:	dennis.schridde, hongy19, lists, xtraeme
Version:	unspecified
Hardware:	Other
OS:	Linux (All)
Whiteboard:
i915 platform:		i915 features:

Description reztho 2013-10-25 16:11:48 UTC

In the man page of journalctl, we can see this:
"All users are granted access to their private per-user journals. However, by default, only root and users who are members of the "systemd-journal" group get access to the system journal and the journals of other users."

But this only applies as long as the journal uses the persistent storage. Users can't access the journal when only using the volatile storage: the journal file in /run/log/journal/%m/system.journal is owned by root.root.

Steps to reproduce:
1. gpasswd -a user systemd-journald
2. Edit the file /etc/systemd/journald.conf and change the storage line to:
Storage=volatile
3. Reboot, login as user and run journalctl:
No journal files were found

Workaround, thanks to alxchk from the official systemd IRC channel:
1. Add these lines to /etc/systemd/system/systemd-journald.service.d/fixperms.conf
[Service]
ExecStartPre=/usr/bin/systemd-tmpfiles --create --prefix=/run/log

2. Add this line to /etc/tmpfiles.d/journald_fixperms.conf:
d /run/log/journal 2755 root systemd-journal - -

Comment 1 Cristian Rodríguez 2013-12-02 00:05:59 UTC

*** Bug 70475 has been marked as a duplicate of this bug. ***

Comment 2 Lennart Poettering 2014-02-21 14:15:53 UTC

*** Bug 74548 has been marked as a duplicate of this bug. ***

Comment 3 Lennart Poettering 2014-05-24 09:28:10 UTC

*** Bug 76879 has been marked as a duplicate of this bug. ***

Comment 4 Lennart Poettering 2014-06-25 10:43:39 UTC

Fixed in current versions. We will now rechown() the files in /run after boot.

Comment 5 Zbigniew Jedrzejewski-Szmek 2014-06-25 14:11:49 UTC

I'm afraid the goalposts have moved in the meanwhile.

We now have two bugs:
1. journalctl(1) needs to be updated, because 'adm' and 'wheel' groups are allowed to read the journal too. I'll do that later today.

2. volatile logs are still not available for those two groups.

Comment 6 Zbigniew Jedrzejewski-Szmek 2015-01-22 06:28:43 UTC

http://cgit.freedesktop.org/systemd/systemd/commit/?id=42d8fafc4b
http://cgit.freedesktop.org/systemd/systemd/commit/?id=a48a62a1af

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.