FS#37040 - Error in manpage for journalctl

Attached to Project: Arch Linux
Opened by Jon Gjengset (Jonhoo) - Tuesday, 24 September 2013, 16:17 GMT
Last edited by Dave Reisner (falconindy) - Tuesday, 24 September 2013, 18:40 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The man page for journalctl states that adding a user to the group "adm" will grant that user access to system logs. This is not correct (at least not in my clean Arch install). The group users should be added to is actually "systemd-journal". Adding the user to the group "adm" has no effect on access to journals.

Don't know if this is an upstream bug, or whether this is due to Arch using a different group for the journals? Please advice.

$ man journalctl
... users who are members of the "adm" group get access to the system journal
$ ls -l /var/log/journal/$(cat /etc/machine-id)
...
-rw-r----- 1 root systemd-journal 10874880 Sep 24 19:11 system.journal
...

Additional info:
* package version: systemd 207-5
This task depends upon

Closed by  Dave Reisner (falconindy)
Tuesday, 24 September 2013, 18:40 GMT
Reason for closing:  Fixed
Additional comments about closing:  http://cgit.freedesktop.org/systemd/syst emd/commit/?id=8bd94f7a03032ac9218e
Comment by Dave Reisner (falconindy) - Tuesday, 24 September 2013, 16:48 GMT
Looks correct to me. Does your filesystem for /var not support ACLs?

$ getfacl /var/log/journal/f2987b1c316d1e4e496bd04f00000087/system.journal
getfacl: Removing leading '/' from absolute path names
# file: var/log/journal/f2987b1c316d1e4e496bd04f00000087/system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r-x #effective:r--
group:adm:r-x #effective:r--
group:wheel:r-x #effective:r--
mask::r--
other::---
Comment by Jon Gjengset (Jonhoo) - Tuesday, 24 September 2013, 17:17 GMT
On a brand new system running stock kernel:

$ getfacl system.journal
# file: system.journal
# owner: root
# group: systemd-journal
user::rw-
group::r--
other::---
$ mount | grep /var
/dev/sda3 on /var type ext4 (rw,relatime,data=ordered)

Should I manually add acl to the mount options for /var?
If so, perhaps genfstab should be updated to include it?
Comment by Dave Reisner (falconindy) - Tuesday, 24 September 2013, 17:29 GMT
genfstab has nothing to do with this.

I think your manpage is fubar. 207-5's manpage says:

"Journal files are, by default, owned and readable by the "systemd-journal" system group but are not writable. Adding a user to this group thus enables her/him to read the journal files."

There's no mention of the "adm" group except to explicitly state:

"Additional users and groups may be granted access to journal files via file system access control lists (ACL). Distributions and administrators may choose to grant read access to all members of the "wheel" and "adm" system groups with a command such as the following:

# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/"
Comment by Jon Gjengset (Jonhoo) - Tuesday, 24 September 2013, 18:25 GMT
Don't see why it should be fubar though. Just installed this machine using the 09.01 install media and online install (so installed the newest packages before even booting).

The reason I brought up genfstab was because that's the only thing I've used to create my fstab, so if systemd wants an acl mount flag, presumable genfstab should add it. Don't see why ACL should be necessary though...

$ pacman -Qi systemd
Name : systemd
Version : 207-5
Description : system and service manager
Architecture : x86_64
URL : http://www.freedesktop.org/wiki/Software/systemd
Licences : GPL2 LGPL2.1 MIT
Groups : None
Provides : libsystemd=207 nss-myhostname systemd-tools=207 udev=207 libgudev-1.0.so=0-64 libsystemd-daemon.so=0-64 libsystemd-id128.so=0-64
libsystemd-journal.so=0-64 libsystemd-login.so=0-64 libudev.so=1-64
Depends On : acl bash dbus-core glib2 kbd kmod hwids libcap libgcrypt pam util-linux xz
Optional Deps : cryptsetup: required for encrypted block devices [installed]
libmicrohttpd: systemd-journal-gatewayd
quota-tools: kernel-level quota management
python: systemd library bindings [installed]
systemd-sysvcompat: symlink package to provide sysvinit binaries [installed]
Required By : colord device-mapper gnome-session libgusb libusbx lvm2 mesa mkinitcpio netctl pcmciautils polkit qtwebkit systemd-sysvcompat upower
xf86-input-evdev
Optional For : None
Conflicts With : libsystemd nss-myhostname systemd-tools udev
Replaces : libsystemd nss-myhostname systemd-tools udev
Installed Size : 12422.00 KiB
Packager : Dave Reisner <dreisner@archlinux.org>
Build Date : Thu 19 Sep 2013 23:12:56 BST
Install Date : Tue 24 Sep 2013 13:43:41 BST
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature

$ man 1 journalctl | grep -A1 adm
All users are granted access to their private per-user journals. However, by default, only root and users who are members of the "adm" group get access to the
system journal and the journals of other users

Loading...