Bug 1411198

Summary: systemd-journald service should set up log storage properly
Product: Red Hat Enterprise Linux 7 Reporter: Alois Mahdal <amahdal>
Component: systemdAssignee: systemd-maint
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: fsumsal, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-15 07:30:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1546552    

Description Alois Mahdal 2017-01-09 04:32:20 UTC 
Description of problem
======================

When log storage (persistent or volatile) is missing (e.g. it has not been
created or has been removed manually) systemd-journald will create it,
but it will not properly set ownership and ACL.  This means that after
removing storage and restarting systemd-journald.service, new logs will
be only readable by root.

According to discussion with Michal Sekletár, the intended course of
action is to call systemd-tmpfiles to "fix" the permissions, which will
apply whatever scheme is configured in /usr/lib/tmpfiles.d/systemd.conf
(normally this is "read-only by groups systemd-journal, adm and wheel").
(systemd-tmpfiles is also called during boot, so an alternative would be
to reboot.)

Problem with this design is that there will always be a window when log
permissions are not set up properly.  Also, since the expected course
of action on admin's part is not very intuitive, the window may be much
longer than necessary.

This bug is to consider way to help remove this extra step.


Version-Release number of selected component
============================================

systemd-219-30.el7


How reproducible
================

Always


Steps to Reproduce
==================

This works the same for volatile and persistent storage, just the path
is different.  Note that persistent storage can be turned on either
by setting Storage=persistent or by setting Storage=auto and creating
/var/log/journal.

 1. Remove /var/log/journal or /run/log/journal
 2. Restart systemd-journald.service
 3. Check storage path permissions


Actual results
==============

System logs belong to and are only readable by root.  (If SplitMode is
set to 'uid' there may be also user-specific logs.)


Expected results
================

Members of groups adm, wheel and systemd-journal (or whatever is specified
in aforementioned config file) should have read access to the logs.


Additional info
===============

For the record, Michal mentioned idea to add systemd-tmpfiles to
ExecStartPost of systemd-journald.service.
Comment 3 David Tardon 2019-02-01 14:27:47 UTC 
*** Bug 1414071 has been marked as a duplicate of this bug. ***
Comment 5 RHEL Program Management 2021-01-15 07:30:03 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.