FS#38489 - [systemd] Wheel shouldn't be able to read the journal

Attached to Project: Arch Linux
Opened by Steven (Stebalien) - Monday, 13 January 2014, 18:16 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 April 2014, 16:50 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Currently, the wheel group can read the journal.

1. This contradicts the manual page:

All users are granted access to their private per-user journals. However, by default, only root and users who are members of the "systemd-journal"
group get access to the system journal and the journals of other users.

2. Being a member of the wheel group means a user can act as root after entering his or her password. However, it should not grant root-like privileges automatically.

Personally, I would also get rid of `adm` access as well (and the `adm` group altogether as, as far as I can tell, nothing uses it) but that's less of an issue.
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 05 April 2014, 16:50 GMT
Reason for closing:  Upstream
Additional comments about closing:  Arch is simply following upstream here.
Comment by Daniel Micay (thestinger) - Sunday, 30 March 2014, 02:20 GMT
This sounds like it's entirely an upstream issue. Have you reported it on the systemd bug tracker?
Comment by Steven (Stebalien) - Sunday, 30 March 2014, 15:25 GMT
This is a packaging issue. The install script calls `setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ 2>/dev/null` which is Arch specific and undocumented.
Comment by Dave Reisner (falconindy) - Sunday, 30 March 2014, 15:27 GMT
Very much documented in systemd-journald(8).
Comment by Steven (Stebalien) - Sunday, 30 March 2014, 15:39 GMT
You're right, sorry. I was reading journalctl(1) which partially replicates the ACCESS CONTROL section of systemd-journald.service(8) but skips that important note. I'll take this up with upstream.

Loading...