On 07/09/2015 12:17 AM, Vincent Lefevre wrote:
> FYI, I installed Jessie then upgraded to unstable.
Ah, that explains it, see below:
>> grep -r var/log/journal {/etc,/usr/lib}/tmpfiles.d
>
> /usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal 2755 root systemd-journal - -
> /usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal/%m 2755 root systemd-journal - -
> /usr/lib/tmpfiles.d/systemd.conf:a+ /var/log/journal/%m - - - - d:group:adm:r-x
> /usr/lib/tmpfiles.d/systemd.conf:A+ /var/log/journal/%m - - - - group:adm:r-x
Ok, that's it: a+/A+ is new in systemd in unstable (don't remember when
exactly it was introduced, but 215 from Jessie doesn't have it), and
that is used to set ACLs.
So what happend is the following:
- journald created these files after you initially set
Storage=persistent, but without ACLs (and thus no ACL mask)
- the tmpfiles.d snippet was executed after that (probably at the next
boot)
- A+ is recursive and adds ACL entries (in this case for the adm
group)
- but since the files didn't have an ACL mask yet, it was
automatically created, leaving the mask with an x bit
(because the adm-ACL for group was added with x)
=> That's where the x bit comes from.
Thus: the bit is harmless, you may remove it.
What would be interesting to see is the following:
- remove the executable bit in the mask (= "group permission bit"
since the files use ACLs) on those files
- reboot
- see if the bit is set again
If I read the upstream docs correctly[1], since those files will now
already have a mask, the bit shouldn't be added anymore. Also, since
new files inherit the default ACLs from the parent directory, they will
automatically have ACLs already (but the mask will be based on the file
creation mode), so that they also shouldn't have the executable bit
set upon reboot. If that is not the case, i.e. the executable bit is
still set in either case (after a reboot), then there's a discrepancy
between the docs and the code, so you should open a bug report about
that. (Don't have time to test that myself right now.)
That said, I think it would be justified to open a bug report about the
current behavior (even if after removing the bit once it doesn't occur
anymore), and the solution would be to have tmpfiles.d provide an
option to set ACLs without recalculating a mask (equivalent to what
setfacl -n does), and change the tmpfiles.d snippet to make use of
that.
Christian
[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
Attachment:
signature.asc
Description: OpenPGP digital signature