Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions on /var/log/journal are not correctly set by systemd-tmpfiles #5264

Closed
1 of 2 tasks
nlewo opened this issue Feb 7, 2017 · 6 comments
Closed
1 of 2 tasks

Permissions on /var/log/journal are not correctly set by systemd-tmpfiles #5264

nlewo opened this issue Feb 7, 2017 · 6 comments
Labels
tmpfiles

Comments

@nlewo
Copy link
Contributor

nlewo commented Feb 7, 2017

Submission type

  • Bug report
  • Request for enhancement (RFE)

NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!

systemd version the issue has been seen with

231, 232

NOTE: Do not submit bug reports about anything but the two most recently released systemd versions upstream!

Used distribution

NixOS

In case of bug report: Expected behaviour you didn't see

systemd-journal group should have r-x permissions on /var/log/journal

In case of bug report: Unexpected behaviour you saw

ACLs permissions on the primary group (which is systemd-journal) are ---:

# getfacl /var/log/journal
# file: var/log/journal/
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::---
group:wheel:r-x
group:adm:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::---
default:group:wheel:r-x
default:group:adm:r-x
default:mask::r-x
default:other::---

# ls -l /var/log
total 16
drwxr-sr-x+ 3 root systemd-journal 4096 Feb  7 20:55 journal

I think this is due to:

  • /var/log/journal has been created with permissions 700
  • the execution order of tmpfiles.d directives which has been:
...
Running create action for entry a /var/log/journal
Setting default ACL u::rwx,g::---,g:wheel:r-x,g:adm:r-x,m::r-x,o::--- on /var/log/journal.
...
Running create action for entry z /var/log/journal
"/var/log/journal" has right mode 42755

The first rule set the primary group to --- while the second rule only sets the mask.

In case of bug report: Steps to reproduce the problem

Create the file /var/log/journal with permissions 700.
nlewo added a commit to nlewo/systemd that referenced this issue Feb 7, 2017
@nlewo
tmpfiles.d: set primary group rights to r-w
c9dd93e 
If the /var/log/journal directory is created with rigths 700, the application
of an ACL rules without any primary group right sets it to 0. A chmod 755 on
this file will then only set the ACL mask and let the ACL primary group right
to 0. The directory is then unreadable for the primary group.

This patch explicitly sets the primary group to avoid this problem.

Fixes systemd#5264.
This was referenced Feb 7, 2017
Merged
Closed
keszybz pushed a commit that referenced this issue Feb 7, 2017
@nlewo @keszybz
tmpfiles.d: set primary group rights to r-w (#5265)
15fcdc9 
If the /var/log/journal directory is created with rigths 700, the application
of an ACL rules without any primary group right sets it to 0. A chmod 755 on
this file will then only set the ACL mask and let the ACL primary group right
to 0. The directory is then unreadable for the primary group.

This patch explicitly sets the primary group to avoid this problem.

Fixes #5264.
@shaba
Copy link
Contributor

shaba commented Mar 6, 2017
edited

reopen please.
after this commit i have a issue:

# systemd-tmpfiles --create /lib/tmpfiles.d/systemd.conf 
Failed to parse ACL "d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Failed to parse ACL "group::r-x,group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring

@keszybz keszybz reopened this Mar 6, 2017
@nlewo
Copy link
Contributor Author

nlewo commented Mar 6, 2017
edited

@shaba sorry, I'm not able to test it now with systemd 233 (I only tested it with systemd 232 and it worked).
If it is easy for you to try this /lib/tmpfiles.d/systemd.conf file with systemd232, do you also observe an issue?

@shaba
Copy link
Contributor

shaba commented Mar 6, 2017

Yes, systemd-232 run this config without error.

keszybz added a commit to keszybz/systemd that referenced this issue Mar 30, 2017
@keszybz
test-sizeof: add some struct-timespec related fields
0c183e9 
Might help with systemd#5264.
@poettering
Copy link
Member

@shaba is it possible that your system lacks the system groups mentioned in that ACL expression?

I am not sure why we should leave this specific issue open. The bug it was about appears fixed, but the issue @shaba pointed out appears to be something different.

@poettering
Copy link
Member

@keszybz do you know more about this?

@poettering
Copy link
Member

Closing due to lack of response.

@trevor-vaughan trevor-vaughan mentioned this issue Mar 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tmpfiles
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shaba @keszybz @poettering @nlewo