1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "acl-util.h"
#include "bus-error.h"
#include "bus-locator.h"
#include "bus-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "hashmap.h"
#include "journal-internal.h"
#include "journal-util.h"
#include "log.h"
#include "strv.h"
#include "user-util.h"
static int access_check_var_log_journal(sd_journal *j, bool want_other_users) {
int r;
assert(j);
/* If we are root, we should have access, don't warn. */
if (getuid() == 0)
return 0;
/* If we are in the 'systemd-journal' group, we should have
* access too. */
r = in_group("systemd-journal");
if (r < 0)
return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
if (r > 0)
return 0;
#if HAVE_ACL
_cleanup_strv_free_ char **g = NULL;
const char* dir;
if (laccess("/run/log/journal", F_OK) >= 0)
dir = "/run/log/journal";
else
dir = "/var/log/journal";
/* If we are in any of the groups listed in the journal ACLs,
* then all is good, too. Let's enumerate all groups from the
* default ACL of the directory, which generally should allow
* access to most journal files too. */
r = acl_search_groups(dir, &g);
if (r < 0)
return log_error_errno(r, "Failed to search journal ACL: %m");
if (r > 0)
return 0;
/* Print a pretty list, if there were ACLs set. */
if (!strv_isempty(g)) {
_cleanup_free_ char *s = NULL;
/* There are groups in the ACL, let's list them */
r = strv_extend(&g, "systemd-journal");
if (r < 0)
return log_oom();
strv_sort_uniq(g);
s = strv_join(g, "', '");
if (!s)
return log_oom();
log_notice("Hint: You are currently not seeing messages from %s.\n"
" Users in groups '%s' can see all messages.\n"
" Pass -q to turn off this notice.",
want_other_users ? "other users and the system" : "the system",
s);
return 1;
}
#endif
/* If no ACLs were found, print a short version of the message. */
log_notice("Hint: You are currently not seeing messages from %s.\n"
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
" turn off this notice.",
want_other_users ? "other users and the system" : "the system");
return 1;
}
int journal_access_blocked(sd_journal *j) {
return hashmap_contains(j->errors, INT_TO_PTR(-EACCES));
}
int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users) {
void *code;
char *path;
int r = 0;
assert(j);
if (hashmap_isempty(j->errors)) {
if (ordered_hashmap_isempty(j->files) && !quiet)
log_notice("No journal files were found.");
return 0;
}
if (journal_access_blocked(j)) {
if (!quiet)
(void) access_check_var_log_journal(j, want_other_users);
if (ordered_hashmap_isempty(j->files))
r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
}
HASHMAP_FOREACH_KEY(path, code, j->errors) {
int err;
err = abs(PTR_TO_INT(code));
switch (err) {
case EACCES:
continue;
case ENODATA:
log_warning_errno(err, "Journal file %s is truncated, ignoring file.", path);
break;
case EPROTONOSUPPORT:
log_warning_errno(err, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
"Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
path);
break;
case EBADMSG:
log_warning_errno(err, "Journal file %s corrupted, ignoring file.", path);
break;
case ETOOMANYREFS:
log_warning_errno(err, "Too many journal files (limit is at %u) in scope, ignoring file '%s'.", JOURNAL_FILES_MAX, path);
break;
default:
log_warning_errno(err, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path);
break;
}
}
return r;
}
int journal_open_machine(sd_journal **ret, const char *machine, int flags) {
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
_cleanup_(sd_journal_closep) sd_journal *j = NULL;
_cleanup_close_ int machine_fd = -EBADF;
int fd, r;
assert(ret);
assert(machine);
if (geteuid() != 0)
/* The file descriptor returned by OpenMachineRootDirectory() will be owned by users/groups of
* the container, thus we need root privileges to override them. */
return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Using the --machine= switch requires root privileges.");
r = sd_bus_open_system(&bus);
if (r < 0)
return log_error_errno(r, "Failed to open system bus: %m");
r = bus_call_method(bus, bus_machine_mgr, "OpenMachineRootDirectory", &error, &reply, "s", machine);
if (r < 0)
return log_error_errno(r, "Failed to open root directory of machine '%s': %s",
machine, bus_error_message(&error, r));
r = sd_bus_message_read(reply, "h", &fd);
if (r < 0)
return bus_log_parse_error(r);
machine_fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
if (machine_fd < 0)
return log_error_errno(errno, "Failed to duplicate file descriptor: %m");
r = sd_journal_open_directory_fd(&j, machine_fd, SD_JOURNAL_OS_ROOT | SD_JOURNAL_TAKE_DIRECTORY_FD | flags);
if (r < 0)
return log_error_errno(r, "Failed to open journal in machine '%s': %m", machine);
TAKE_FD(machine_fd);
*ret = TAKE_PTR(j);
return 0;
}
|