Discussion:
systemd 211 journal getting created with different permissions
(too old to reply)
Greg KH
2014-03-12 01:46:20 UTC
Permalink
Hi all,

With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).

I looked at the git log and can't see anything obvious that would have
caused this.

Is this intentional? Or something on my end with my system's
configuration?

thanks,

greg k-h
Mantas Mikulėnas
2014-03-12 02:21:55 UTC
Permalink
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.

If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
--
Mantas Mikulėnas <***@gmail.com>
Greg KH
2014-03-12 03:38:58 UTC
Permalink
Post by Mantas Mikulėnas
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.
I thought so, and this worked on 210, and the permissions of
/var/log/journal/ is correct:

drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
Post by Mantas Mikulėnas
If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
worked, so what is different here?

confused,

greg k-h
Greg KH
2014-03-12 04:41:50 UTC
Permalink
Post by Greg KH
Post by Mantas Mikulėnas
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.
I thought so, and this worked on 210, and the permissions of
drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
Post by Mantas Mikulėnas
If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
worked, so what is different here?
Apologies, I can now reproduce this on systemd 210, so this isn't a 211
issue from what I can tell just yet, sorry for the noise.

greg k-h
Greg KH
2014-03-12 05:44:17 UTC
Permalink
Post by Greg KH
Post by Greg KH
Post by Mantas Mikulėnas
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.
I thought so, and this worked on 210, and the permissions of
drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
Post by Mantas Mikulėnas
If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
worked, so what is different here?
Apologies, I can now reproduce this on systemd 210, so this isn't a 211
issue from what I can tell just yet, sorry for the noise.
In looking at this further, the /usr/lib/tmpfiles.d/systemd.conf will
not change the permissions on the journald file, only the directory:
m /var/log/journal 2755 root systemd-journal - -
m /var/log/journal/%m 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
m /run/log/journal/%m 2755 root systemd-journal - -

So what is supposed to set the permissions on the journal file(s) that
live in /var/log/journal/%m/ ?

Let me do a build with 207 and see how that handles this issue...

thanks,

greg k-h
Greg KH
2014-03-12 06:08:59 UTC
Permalink
Post by Greg KH
Post by Greg KH
Post by Greg KH
Post by Mantas Mikulėnas
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.
I thought so, and this worked on 210, and the permissions of
drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
Post by Mantas Mikulėnas
If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
worked, so what is different here?
Apologies, I can now reproduce this on systemd 210, so this isn't a 211
issue from what I can tell just yet, sorry for the noise.
In looking at this further, the /usr/lib/tmpfiles.d/systemd.conf will
m /var/log/journal 2755 root systemd-journal - -
m /var/log/journal/%m 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
m /run/log/journal/%m 2755 root systemd-journal - -
So what is supposed to set the permissions on the journal file(s) that
live in /var/log/journal/%m/ ?
Let me do a build with 207 and see how that handles this issue...
Ah, found it.

Commit 4608af4333d0f7f5f8e3bc632801b04ef07d246d is the issue.

We moved from handling the mode internally, in 207, to using the
tmpfiles.d infrastructure in 208. On systems that previously were
working on 207, if you upgrade, the permissions are set properly from
207.

But, for 208, this changed :(

So, what's the odds that file globbing works with tmpfile.d, time to
rebuild...

greg k-h
Greg KH
2014-03-12 06:24:35 UTC
Permalink
Post by Greg KH
Post by Greg KH
Post by Greg KH
Post by Greg KH
Post by Mantas Mikulėnas
Post by Greg KH
Hi all,
With systemd 211, a new journal file is getting created with permissions
of root:root instead of root:systemd-journal like previously (210 and
prior).
I looked at the git log and can't see anything obvious that would have
caused this.
Is this intentional? Or something on my end with my system's
configuration?
Normally the journal files just inherit the group of /var/log/journal,
which has the setgid bit (and the correct group) set by
/usr/lib/tmpfiles.d/systemd.conf.
I thought so, and this worked on 210, and the permissions of
drwxr-sr-x 2 root systemd-journal 4096 Mar 12 01:36 0da484f8dee497fee9585ba9531fb7f1
Post by Mantas Mikulėnas
If you ran `make install`, however, it would chown /var/log/journal to
0:0 until the next time systemd-tmpfiles ran.
This gets created by the ebuild (this is on CoreOs), and the 210 ebuild
worked, so what is different here?
Apologies, I can now reproduce this on systemd 210, so this isn't a 211
issue from what I can tell just yet, sorry for the noise.
In looking at this further, the /usr/lib/tmpfiles.d/systemd.conf will
m /var/log/journal 2755 root systemd-journal - -
m /var/log/journal/%m 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
m /run/log/journal/%m 2755 root systemd-journal - -
So what is supposed to set the permissions on the journal file(s) that
live in /var/log/journal/%m/ ?
Let me do a build with 207 and see how that handles this issue...
Ah, found it.
Commit 4608af4333d0f7f5f8e3bc632801b04ef07d246d is the issue.
We moved from handling the mode internally, in 207, to using the
tmpfiles.d infrastructure in 208. On systems that previously were
working on 207, if you upgrade, the permissions are set properly from
207.
But, for 208, this changed :(
So, what's the odds that file globbing works with tmpfile.d, time to
rebuild...
It works well enough, the following patch fixes the issue for me:

diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index 7c6d6b9099b9..1aeb5e40f1ee 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -24,5 +24,7 @@ d /run/systemd/shutdown 0755 root root -

m /var/log/journal 2755 root systemd-journal - -
m /var/log/journal/%m 2755 root systemd-journal - -
+m /var/log/journal/%m/system.journal 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
m /run/log/journal/%m 2755 root systemd-journal - -
+m /run/log/journal/%m/system.journal 2755 root systemd-journal - -
Loading...