FS#43852 - [systemd] on install - warning: directory ownership differs on /var/log/journal/remote/

Attached to Project: Arch Linux
Opened by jb (jb.1234abcd) - Tuesday, 17 February 2015, 06:31 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 21 February 2015, 16:42 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture i686
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
On install of systemd I get:
warning: directory ownership differs on /var/log/journal/remote/
filesystem: 0:999 package: 0:0

Additional info:
* package version(s)

libsystemd-218-2
systemd-218-2
systemd-sysvcompat-218-2

* config and/or log files etc.

$ ls -al /var/log/journal/
total 28
drwxr-sr-x+ 4 root systemd-journal 4096 Feb 4 18:59 .
drwxr-xr-x 4 root root 4096 Feb 4 18:59 ..
drwxr-sr-x+ 2 root systemd-journal 4096 Feb 4 19:07 d9f9af52a6e54710a8428c16f96331da
drwxr-sr-x+ 2 root systemd-journal-remote 4096 Dec 11 03:18 remote

$ grep -i systemd-journal /etc/passwd
systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/usr/bin/nologin
systemd-journal-upload:x:998:998:systemd Journal Upload:/:/sbin/nologin
systemd-journal-remote:x:999:999:systemd Journal Remote:/:/sbin/nologin

Steps to reproduce:
pacman -Syu
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 21 February 2015, 16:42 GMT
Reason for closing:  Fixed
Additional comments about closing:  systemd-219-2
Comment by jb (jb.1234abcd) - Tuesday, 17 February 2015, 12:28 GMT
$ grep -i systemd-journal /etc/group
systemd-journal:x:190:
systemd-journal-gateway:x:191:
systemd-journal-upload:x:998:
systemd-journal-remote:x:999:
Comment by Bruno Pagani (ArchangeGabriel) - Tuesday, 17 February 2015, 12:52 GMT
I can confirm this, except that for me systemd-journal-remote is 997 (and upload 996), but since those are not in the <500 reserved ID, this is fine.
Comment by Patcom (Patcom) - Tuesday, 17 February 2015, 14:05 GMT
same for me (but slightly differing number): "Dateisystem: 0:998 Paket: 0:0"

But I guess the solution to this bug will be the same like for all such bugs: nothing + manual fixing to match the package with chown ( chown 0:0 /var/log/journal/remote ). See e.g. https://bugs.archlinux.org/task/43616 for a short discussion of this.
Comment by Bruno Pagani (ArchangeGabriel) - Tuesday, 17 February 2015, 14:10 GMT
OK, but how do you know if package or system is right? For instance here, I didn’t chown to 0:0, because it didn’t look terrible that /var/log/journal/remote is owned by systemd-journal-remote group. Should I fix it and why?
Comment by Dave Reisner (falconindy) - Tuesday, 17 February 2015, 14:11 GMT
> But I guess the solution to this bug will be the same like for all such bugs: nothing + manual fixing to match the package with chown ( chown 0:0 /var/log/journal/remote ).
This is exactly the *wrong* advice.
Comment by jb (jb.1234abcd) - Tuesday, 17 February 2015, 14:17 GMT
I have a problem with this setup of journal dirs.
Why is the sgid bit needed for /var/log/journal and any dirs below it ?
What contents of these dirs could be desired to be sgid-executable ?

I searched for any references and only found the ones below, where some people wonder as well:
http://lists.freedesktop.org/archives/systemd-devel/2014-June/019833.html
https://bbs.archlinux.org/viewtopic.php?id=170749
https://bugs.archlinux.org/task/37170
Comment by Dave Reisner (falconindy) - Tuesday, 17 February 2015, 14:22 GMT
You have a problem with it because you assume that the setgid bit on a dir means the same as it does on a file. Think about this: does the executable bit on a dir make everything under it executable?
Comment by Patcom (Patcom) - Tuesday, 17 February 2015, 20:45 GMT
@falconindy: okay, why is this "exactly the *wrong* advice"? So, is the package wrong?

Note that I did not say that I think this is a good state that every now and then there are wrong permission warnings during updates.
Comment by jb (jb.1234abcd) - Thursday, 19 February 2015, 12:39 GMT
@falconindy:
Regarding the setgid on dirs, /var/log/journal/remote in particular - is it not aiding the attacker's exploit in acquiring systemd-journal-remote gid automatically ?
To me, systemd-journal-remote.service is quite risky due to its possible outer interfaces.
For example:
-rwxr-sr-x 1 root systemd-journal-remote 133156 Jul 19 2014 exploit

Is the setgid on dir not a means of obfuscation here ?
In our case only systemd-journal-remote.service is supposed to create and fill in the log dirs.
The setgid on dir makes sense only if the dir is shared by users with different gid's (e.g. shared project dir).
If so, would it not be preferable to remove the setgid on dir here ?

Loading...