On 07/09/2015 12:17 AM, Vincent Lefevre wrote: > FYI, I installed Jessie then upgraded to unstable.
Ah, that explains it, see below: >> grep -r var/log/journal {/etc,/usr/lib}/tmpfiles.d > > /usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal 2755 root systemd-journal > - - > /usr/lib/tmpfiles.d/systemd.conf:z /var/log/journal/%m 2755 root > systemd-journal - - > /usr/lib/tmpfiles.d/systemd.conf:a+ /var/log/journal/%m - - - - > d:group:adm:r-x > /usr/lib/tmpfiles.d/systemd.conf:A+ /var/log/journal/%m - - - - group:adm:r-x Ok, that's it: a+/A+ is new in systemd in unstable (don't remember when exactly it was introduced, but 215 from Jessie doesn't have it), and that is used to set ACLs. So what happend is the following: - journald created these files after you initially set Storage=persistent, but without ACLs (and thus no ACL mask) - the tmpfiles.d snippet was executed after that (probably at the next boot) - A+ is recursive and adds ACL entries (in this case for the adm group) - but since the files didn't have an ACL mask yet, it was automatically created, leaving the mask with an x bit (because the adm-ACL for group was added with x) => That's where the x bit comes from. Thus: the bit is harmless, you may remove it. What would be interesting to see is the following: - remove the executable bit in the mask (= "group permission bit" since the files use ACLs) on those files - reboot - see if the bit is set again If I read the upstream docs correctly[1], since those files will now already have a mask, the bit shouldn't be added anymore. Also, since new files inherit the default ACLs from the parent directory, they will automatically have ACLs already (but the mask will be based on the file creation mode), so that they also shouldn't have the executable bit set upon reboot. If that is not the case, i.e. the executable bit is still set in either case (after a reboot), then there's a discrepancy between the docs and the code, so you should open a bug report about that. (Don't have time to test that myself right now.) That said, I think it would be justified to open a bug report about the current behavior (even if after removing the bit once it doesn't occur anymore), and the solution would be to have tmpfiles.d provide an option to set ACLs without recalculating a mask (equivalent to what setfacl -n does), and change the tmpfiles.d snippet to make use of that. Christian [1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
signature.asc
Description: OpenPGP digital signature