Re: strange journald *.journal file permissions

To: debian-user@lists.debian.org
Subject: Re: strange journald *.journal file permissions
From: Vincent Lefevre <vincent@vinc17.net>
Date: Thu, 9 Jul 2015 00:17:35 +0200
Message-id: <[🔎] 20150708221735.GA1880@zira.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] e0992dbc4a2a50dfe45c2a06a752b48f@iwakd.de>
References: <[🔎] 20150705110325.GA28020@xvii.vinc17.org> <[🔎] 9cc03322bda64dcfa07319a08cec53bf@iwakd.de> <[🔎] 20150708144255.GA4392@ypig.lip.ens-lyon.fr> <[🔎] e0992dbc4a2a50dfe45c2a06a752b48f@iwakd.de>

On 2015-07-08 17:23:37 +0200, Christian Seiler wrote:
> Are you sure you never used setfacl?

Yes, I'm sure.

> Because your files have ACLs
> (as seen by the + sign next to the mode), but systemd-journald by
> default only uses normal permissions (at least under Jessie);

FYI, I installed Jessie then upgraded to unstable.

> unless you explicitly set ACLs on the directory, for example to
> let members of the 'adm' group access the journal (see the
> snippet in README.Debian I posted).

There are ACL's on the directory, but I haven't set them.

drwxr-sr-x+ 2 root systemd-journal 4096 2015-07-03 14:03:44 ./

> (Ok, technically it uses ACLs by default for the user-*.journal,
> to grant each user access to their own journal, but not for
> system.journal.)
> 
>  - What does 'getfacl system.journal' print?

# file: system.journal
# owner: root
# group: root
user::rw-
group::r--
group:adm:r-x
mask::r-x
other::---

And for the directory:

# file: .
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:adm:r-x
default:mask::r-x
default:other::r-x

>  - Do you have any tmpfiles.d snippet installed that does
>    something to /var/log/journal?
> 
>    grep -r var/log/journal {/etc,/usr/lib}/tmpfiles.d

/usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal 2755 root systemd-journal - -
/usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal/%m 2755 root systemd-journal - -
/usr/lib/tmpfiles.d/systemd.conf:a+ /var/log/journal/%m - - - - d:group:adm:r-x
/usr/lib/tmpfiles.d/systemd.conf:A+ /var/log/journal/%m - - - - group:adm:r-x

>    Should only print systemd.conf with two 'z' (i.e.
>    non-recursive) entries for /var/log/journal and
>    /var/log/journal/%m.

Well, this is not the case. And the file comes from systemd.

>  - Do you have any cron job or init script or systemd
>    service installed that plays around with file modes?

No.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: strange journald *.journal file permissions
  - From: Christian Seiler <christian@iwakd.de>

References:
- strange journald *.journal file permissions
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: strange journald *.journal file permissions
  - From: Christian Seiler <christian@iwakd.de>
- Re: strange journald *.journal file permissions
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: strange journald *.journal file permissions
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Free GNU/Linux intro class for teens advice? Purchase box? Squeak/Smalltalk programming
Next by Date: boot hangs when no ethernet cable is plugged in
Previous by thread: Re: strange journald *.journal file permissions
Next by thread: Re: strange journald *.journal file permissions
Index(es):
- Date
- Thread