Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#38489 - [systemd] Wheel shouldn't be able to read the journal
Attached to Project:
Arch Linux
Opened by Steven (Stebalien) - Monday, 13 January 2014, 18:16 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 April 2014, 16:50 GMT
Opened by Steven (Stebalien) - Monday, 13 January 2014, 18:16 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 April 2014, 16:50 GMT
|
DetailsCurrently, the wheel group can read the journal.
1. This contradicts the manual page: All users are granted access to their private per-user journals. However, by default, only root and users who are members of the "systemd-journal" group get access to the system journal and the journals of other users. 2. Being a member of the wheel group means a user can act as root after entering his or her password. However, it should not grant root-like privileges automatically. Personally, I would also get rid of `adm` access as well (and the `adm` group altogether as, as far as I can tell, nothing uses it) but that's less of an issue. |
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 05 April 2014, 16:50 GMT
Reason for closing: Upstream
Additional comments about closing: Arch is simply following upstream here.
Saturday, 05 April 2014, 16:50 GMT
Reason for closing: Upstream
Additional comments about closing: Arch is simply following upstream here.
Comment by Daniel Micay (thestinger) -
Sunday, 30 March 2014, 02:20 GMT
This sounds like it's entirely an upstream issue. Have you reported it on the systemd bug tracker?
Comment by Steven (Stebalien) -
Sunday, 30 March 2014, 15:25 GMT
This is a packaging issue. The install script calls `setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ 2>/dev/null` which is Arch specific and undocumented.
Comment by Dave Reisner (falconindy) -
Sunday, 30 March 2014, 15:27 GMT
Very much documented in systemd-journald(8).
Comment by Steven (Stebalien) -
Sunday, 30 March 2014, 15:39 GMT
You're right, sorry. I was reading journalctl(1) which partially replicates the ACCESS CONTROL section of systemd-journald.service(8) but skips that important note. I'll take this up with upstream.