summaryrefslogtreecommitdiffstats
path: root/README
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-03-05 18:53:21 +0100
committerLennart Poettering <lennart@poettering.net>2013-03-05 18:59:03 +0100
commita24c64f03f9c5c0304451d8542fee853187a5168 (patch)
treeedf4d80e044bf051629d8dcdfe43c9d6ec2abf67 /README
parentjournald: stpcpy() + mempcpy() are awesome (diff)
downloadsystemd-a24c64f03f9c5c0304451d8542fee853187a5168.tar.xz
systemd-a24c64f03f9c5c0304451d8542fee853187a5168.zip
journald: introduce new "systemd-journal" group and make it own the journal files
Previously all journal files were owned by "adm". In order to allow specific users to read the journal files without granting it access to the full "adm" powers, introduce a new specific group for this. "systemd-journal" has to be created by the packaging scripts manually at installation time. It's a good idea to assign a static UID/GID to this group, since /var/log/journal might be shared across machines via NFS. This commit also grants read access to the journal files by default to members of the "wheel" and "adm" groups via file system ACLs, since these "almost-root" groups should be able to see what's going on on the system. These ACLs are created by "make install". Packagers probably need to duplicate this logic in their postinst scripts. This also adds documentation how to grant access to the journal to additional users or groups via fs ACLs.
Diffstat (limited to 'README')
-rw-r--r--README13
1 files changed, 13 insertions, 0 deletions
diff --git a/README b/README
index d8b1b1296a..300a4cf8bc 100644
--- a/README
+++ b/README
@@ -100,6 +100,19 @@ REQUIREMENTS:
being 'html' or 'latexpdf'. If using DESTDIR for installation,
pass the same DESTDIR to 'make sphinx-html' invocation.
+USERS AND GROUPS:
+ During runtime the journal daemon requires the
+ "system-journal" system group to exist. New journal files will
+ be readable by this group (but not writable) which may be used
+ to grant specific users read access.
+
+ It is also recommended to grant read access to all journal
+ files to the system groups "wheel" and "adm" with a command
+ like the following in the post installation script of the
+ package:
+
+ # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
WARNINGS:
systemd will warn you during boot if /etc/mtab is not a
symlink to /proc/mounts. Please ensure that /etc/mtab is a