Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: provide hint if permissions do no allow any journal files to be opened #57

Open
dementedhedgehog opened this issue Jun 13, 2018 · 5 comments

Comments

@dementedhedgehog
Copy link

Reading from journald without permission to do so should throw an exception but doesn't?

build:~$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

build:~$ 
build:~$ groups 
developers
build:~$ 
build:~$ journalctl --since "1 hour ago"
Hint: You are currently not seeing messages from other users and the system.
      Users in the 'systemd-journal' group can see all messages. Pass -q to
      turn off this notice.
No journal files were opened due to insufficient permissions.
build:~$ 
build:~$ python3.6
Python 3.6.3 (default, Jan  4 2018, 16:40:53) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> 
>>> from systemd import journal
>>> j = journal.Reader()
>>> j.this_boot()
>>> j.log_level(journal.LOG_DEBUG)
>>> j.get_next()
{}
>>> for entry in j:
...     print(entry)
... 
>>> 

@stigok
Copy link

stigok commented Nov 4, 2018

On Ubuntu 18.04, journalctl does not itself exit with an error. So I wouldn't expect this python library to do it either.

$ journalctl -u asd
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.
-- Logs begin at Wed 2018-10-17 13:14:15 CEST, end at Thu 2018-10-18 01:41:30 CEST. --
-- No entries -

@dementedhedgehog
Copy link
Author

dementedhedgehog commented Nov 5, 2018

Hi stigok,
I'm not sure that the logic follows. Python does not always, or perhaps even usually, behaves the same way as c or old-school unix programs (scripts) do. How can you differentiate within code whether you have permissions to view journal entries or there are none?

cheers
blaize

@stigok
Copy link

stigok commented Nov 6, 2018

That is a good question. There is not a whole lot written about handling permissions, but the little I found in the docs;

Note that in order to access the system journal, a non-root user must have the necessary privileges, see journalctl(1) for details. Unprivileged users can access only their own journal.

And man 1 journalctl says something more

All users are granted access to their private per-user journals. However, by default, only root and users who are members of a few special groups are granted access to the system journal and the journals of other users. Members of the groups "systemd-journal", "adm", and "wheel" can read all journal files. Note that the two latter groups traditionally have additional privileges specified by the distribution. Members of the "wheel" group can often perform administrative tasks.

Furthermore, the --system, --user argument help text, it is stated that

If neither [--system, --user] is specified, show all messages that the user can see.

So to me, it seems like it's normal to just dump whatever it can and don't really care about permissions.
A way to check if you have system level permissions might be to see if a single line exists in a protected log. An example using journalctl could be

$ sudo -u ftp journalctl --boot 0 --lines=1
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
No journal files were opened due to insufficient permissions.

Does this make sense?

@sebix
Copy link
Contributor

sebix commented Nov 6, 2018

journalctl --system without root permissions gives exit code 1 here (systemd 237)

@keszybz
Copy link
Member

keszybz commented Jun 16, 2019

journalctl uses private API to figure out what files were opened and what errors were encountered during attempts to open files. It then uses some detailed knowledge about systemd ACL setup to deliver a precise message. To replicate this in the python wrapper, additional information would have to be exported by the sd-journal code. I wouldn't be keen on reimplementing those heuristics, so ideally libsystemd would generate the same error message for us that journalctl and coredumpctl use.

@keszybz keszybz changed the title Reading from journald without permission to do so should throw an exception? RFE: provide hint if permissions do no allow any journal files to be opened Jun 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants