6

How do I grant read-only permission to somegroup to read the system journal? (I'm on Debian10 buster).

$ journalctl  
Hint: You are currently not seeing messages from other users and the system.
      Users in the 'systemd-journal' group can see all messages. Pass -q to
      turn off this notice.
No journal files were opened due to insufficient permissions.

I know I can add a user to the systemd-journal group, but how do I give a group read-permission?

Stewart
  • 13,677

1 Answers1

10

tl;dr

Create the following file:

# /etc/tmpfiles.d/somegroup_journal.conf
#Type  Path                           Mode User Group Age Argument
a+     /run/log/journal               -    -    -     -   d:group:somegroup:r-x
a+     /run/log/journal               -    -    -     -   group:somegroup:r-x
a+     /run/log/journal/%m            -    -    -     -   d:group:somegroup:r-x
a+     /run/log/journal/%m            -    -    -     -   group:somegroup:r-x
a+     /run/log/journal/%m/*.journal* -    -    -     -   d:group:somegroup:r--
a+     /run/log/journal/%m/*.journal* -    -    -     -   group:somegroup:r--

How to figure it out:

man systemd-journald.service(8) has the following:

Additional users and groups may be granted access to journal files via file system access control lists (ACL). Distributions and administrators may choose to grant read access to all members of the "wheel" and "adm" system groups with a command such as the following:

# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/

While this sounds perfect, the example touches /var/log/journal/, but journalctl prioritizes /run/log/journal/ as demonstrated by the following source:

if (laccess("/run/log/journal", F_OK) >= 0)
        dir = "/run/log/journal";
else
        dir = "/var/log/journal";

/* If we are in any of the groups listed in the journal ACLs,

  • then all is good, too. Let's enumerate all groups from the
  • default ACL of the directory, which generally should allow
  • access to most journal files too. */

r = acl_search_groups(dir, &g);

/run is mounted as tmpfs, so the following ACL rule would probably not persist:

# setfacl -Rnm g:somegroup:rx,d:g:somegroup:rx /run/log/journal/

To make this persist, configure whatever is used to generate /run/log/journal. Browsing a few more sources, we find tmpfiles.d/systemd.conf.m4:

z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 systemd-journal - -
m4_ifdef(`HAVE_ACL',`
a+ /run/log/journal/%m - - - - d:group:adm:r-x
a+ /run/log/journal/%m - - - - group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:adm:r--
')'m4_dnl

This suggests that the ACL rules need to be added in tmpfiles.d. The compiled version of the above file is found locally at /usr/lib/tmpfiles.d/systemd.conf. Combining that example with man tmpfiles.d(5) gives some details to help create a working solution.

Create the following file:

# /etc/tmpfiles.d/somegroup_journal.conf
#Type  Path                           Mode User Group Age Argument
a+     /run/log/journal               -    -    -     -   d:group:somegroup:r-x
a+     /run/log/journal               -    -    -     -   group:somegroup:r-x
a+     /run/log/journal/%m            -    -    -     -   d:group:somegroup:r-x
a+     /run/log/journal/%m            -    -    -     -   group:somegroup:r-x
a+     /run/log/journal/%m/*.journal* -    -    -     -   d:group:somegroup:r--
a+     /run/log/journal/%m/*.journal* -    -    -     -   group:somegroup:r--

A quick test plus reboot confirms that this works!

Flow
  • 854
  • 1
  • 11
  • 23
Stewart
  • 13,677