Bug 1101226

Summary: journalctl: Access Control, user in adm group cannot see root logs
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: systemdAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Robin Hack <rhack>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: amahdal, jscotka, lnykryn, msekleta, mvollmer, rhack, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-219-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 14:56:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1101267, 1143927    

Description Petr Sklenar 2014-05-26 12:24:14 UTC 
Description of problem:
user in adm group cannot see root log file

Version-Release number of selected component (if applicable):
systemd-208-11.el7.x86_64

How reproducible:
always

Steps to Reproduce:
[root@pes-guest-67 ~]# usermod -a -G adm petr
[root@pes-guest-67 ~]# su - petr
Last login: Mon May 26 14:10:45 CEST 2014 on pts/0
[petr@pes-guest-67 ~]$ journalctl 
No journal files were found.

Actual results:
petr cannot see all the logs

Expected results:
petr can see all the logs

Additional info:
Comment 4 Michal Sekletar 2014-06-27 13:30:29 UTC 
We have to change journald so it will adjust default group for directory to systemd-journal and sets ACLs on directory.
Comment 6 Michal Sekletar 2015-04-17 08:44:47 UTC 
*** Bug 1211499 has been marked as a duplicate of this bug. ***
Comment 8 Marius Vollmer 2015-04-17 12:53:26 UTC 
(In reply to Michal Sekletar from comment #4)
> We have to change journald so it will adjust default group for directory to
> systemd-journal and sets ACLs on directory.

Will that also give "wheel" access, or only "adm"?
Comment 9 Lukáš Nykrýn 2015-04-17 14:48:51 UTC 
New tmpfiles snippet has

a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
A+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
Comment 10 Lukáš Nykrýn 2015-04-21 13:50:59 UTC 
This should be now fixed with the rebase.
Comment 14 errata-xmlrpc 2015-11-19 14:56:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2092.html