FS#34321 - [systemd] 198-1 is missing some user and permission bits

Attached to Project: Arch Linux
Opened by Jan (medhefgo) - Friday, 15 March 2013, 11:04 GMT
Last edited by Dave Reisner (falconindy) - Tuesday, 24 December 2013, 21:43 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

In order for systemd-journal-gatewayd to work, it needs both a systemd-journal-gateway user and group.

Also, upstream recommends that distros give the journal the following permissions when installing/upgrading:
# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
This task depends upon

Closed by  Dave Reisner (falconindy)
Tuesday, 24 December 2013, 21:43 GMT
Reason for closing:  Fixed
Additional comments about closing:  ACLs added in 208-8. The group cannot be added by the systemd package -- this needs to be fixed in core/filesystem.
Comment by Dave Reisner (falconindy) - Friday, 15 March 2013, 11:33 GMT
systemd-journal-gatewayd is an invalid user/group name, which is why I didn't add it (it's too long -- shadow won't allow it).

The setfact line you pulled is a suggestion from a man page. A suggestion, and that's it. Feel free to manage your machine the way you like it.
Comment by Jan (medhefgo) - Friday, 15 March 2013, 16:01 GMT
The user name issue is odd. groupadd doesn't let me create it, while useradd does actually create both the user and group. The service actually work then too. A quick check on shadow-utils in fedora shows that they compile it with "--with-group-name-max-length=32". Maybe arch should too? I just tried it and works fine.

Yes, ACLs are a suggestion, but a good one to follow. It's not like it would break something, it's actually the contrary. Upgrading to the latest systemd prevents users of journalctl who put themselves in adm to read the jouranl. This is a regression. It should either be noted when upgrading or the setfacl should be executed when installing.
Comment by ... (spider007) - Thursday, 25 April 2013, 10:01 GMT
It is too bad the gatewayd is actually in the package; but doesn't work because of the missing user. Why not patch the gatewayd.service and use nobody/adm instead of the non-existing user/group, I have verified that it works fine?
Comment by Tom Gundersen (tomegun) - Thursday, 25 April 2013, 10:29 GMT
Dave: how come we are not following upstream on this? Any reason not to add the switch to shadow that Jan suggested? If so, we should argue with upstream to rename the user...
Comment by Dave Reisner (falconindy) - Thursday, 25 April 2013, 12:04 GMT
shadow in core already has this switch.
Comment by Mantas Mikulėnas (grawity) - Thursday, 25 April 2013, 13:56 GMT
The ACLs are actually set during `make install`; they just aren't preserved by the package. So it's an upstream default, not just a suggestion.
Comment by ... (spider007) - Saturday, 11 May 2013, 14:12 GMT
Okay would someone please just add this to systemd.install?

> useradd -r -d /var/log/journal/ -s /bin/false systemd-journal-gateway
Comment by Dave Reisner (falconindy) - Saturday, 11 May 2013, 15:28 GMT
No, because systemd isn't the right place to add this as we've found in the past.

Loading...