From e8d55cb62e0c12b09d3fa02f4fc1a1e0b197020b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 8 Mar 2015 11:04:59 -0400 Subject: [PATCH] journalctl: update hint now that we set ACL everywhere (cherry picked from commit 05c1853093d8c4e4aa16876b5129b65dac5abd01) --- src/journal/journalctl.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index 55c7786331..12c869f5af 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -1542,10 +1542,17 @@ static int access_check_var_log_journal(sd_journal *j) { have_access = in_group("systemd-journal") > 0; if (!have_access) { + const char* dir; + + if (access("/run/log/journal", F_OK) >= 0) + dir = "/run/log/journal"; + else + dir = "/var/log/journal"; + /* Let's enumerate all groups from the default ACL of * the directory, which generally should allow access * to most journal files too */ - r = search_acl_groups(&g, "/var/log/journal/", &have_access); + r = search_acl_groups(&g, dir, &have_access); if (r < 0) return r; } @@ -1571,7 +1578,7 @@ static int access_check_var_log_journal(sd_journal *j) { return log_oom(); log_notice("Hint: You are currently not seeing messages from other users and the system.\n" - " Users in the groups '%s' can see all messages.\n" + " Users in groups '%s' can see all messages.\n" " Pass -q to turn off this notice.", s); } } @@ -1595,18 +1602,8 @@ static int access_check(sd_journal *j) { if (set_contains(j->errors, INT_TO_PTR(-EACCES))) { #ifdef HAVE_ACL - /* If /var/log/journal doesn't even exist, - * unprivileged users have no access at all */ - if (access("/var/log/journal", F_OK) < 0 && - geteuid() != 0 && - in_group("systemd-journal") <= 0) { - log_error("Unprivileged users cannot access messages, unless persistent log storage is\n" - "enabled. Users in the 'systemd-journal' group may always access messages."); - return -EACCES; - } - - /* If /var/log/journal exists, try to pring a nice - notice if the user lacks access to it */ + /* If /run/log/journal or /var/log/journal exist, try + to pring a nice notice if the user lacks access to it. */ if (!arg_quiet && geteuid() != 0) { r = access_check_var_log_journal(j); if (r < 0)