Bug 1411198 - systemd-journald service should set up log storage properly
Summary: systemd-journald service should set up log storage properly
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
: 1414071 (view as bug list)
Depends On:
Blocks: 1546552
TreeView+ depends on / blocked
 
Reported: 2017-01-09 04:32 UTC by Alois Mahdal
Modified: 2021-01-15 07:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-15 07:30:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1414071 0 unspecified CLOSED systemd-journal-gatewayd doesn't work when /run/log/journal is re-created by systemd-journald 2021-02-22 00:41:40 UTC

Internal Links: 1414071

Description Alois Mahdal 2017-01-09 04:32:20 UTC
Description of problem
======================

When log storage (persistent or volatile) is missing (e.g. it has not been
created or has been removed manually) systemd-journald will create it,
but it will not properly set ownership and ACL.  This means that after
removing storage and restarting systemd-journald.service, new logs will
be only readable by root.

According to discussion with Michal Sekletár, the intended course of
action is to call systemd-tmpfiles to "fix" the permissions, which will
apply whatever scheme is configured in /usr/lib/tmpfiles.d/systemd.conf
(normally this is "read-only by groups systemd-journal, adm and wheel").
(systemd-tmpfiles is also called during boot, so an alternative would be
to reboot.)

Problem with this design is that there will always be a window when log
permissions are not set up properly.  Also, since the expected course
of action on admin's part is not very intuitive, the window may be much
longer than necessary.

This bug is to consider way to help remove this extra step.


Version-Release number of selected component
============================================

systemd-219-30.el7


How reproducible
================

Always


Steps to Reproduce
==================

This works the same for volatile and persistent storage, just the path
is different.  Note that persistent storage can be turned on either
by setting Storage=persistent or by setting Storage=auto and creating
/var/log/journal.

 1. Remove /var/log/journal or /run/log/journal
 2. Restart systemd-journald.service
 3. Check storage path permissions


Actual results
==============

System logs belong to and are only readable by root.  (If SplitMode is
set to 'uid' there may be also user-specific logs.)


Expected results
================

Members of groups adm, wheel and systemd-journal (or whatever is specified
in aforementioned config file) should have read access to the logs.


Additional info
===============

For the record, Michal mentioned idea to add systemd-tmpfiles to
ExecStartPost of systemd-journald.service.

Comment 3 David Tardon 2019-02-01 14:27:47 UTC
*** Bug 1414071 has been marked as a duplicate of this bug. ***

Comment 5 RHEL Program Management 2021-01-15 07:30:03 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.


Note You need to log in before you can comment on or make changes to this bug.