Bug#717386: [Pkg-systemd-maintainers] Bug#717386: systemd-journal group does not exist
Hi, having read through this report in details I think using ACLs would be best, 'cause: On Sat, Jul 20, 2013 at 11:37:43AM +0200, Michael Stapelberg wrote: [..snip..] > Thanks for creating a bug report to track this, it was planned from our > side to do this (but after the upload). I see three action items here: > > 1. (bug #717386) Create the systemd-journal group That makes sense with ACLs and the explanation Sven attached from the upstram logs. We might want a user with minimal rights given that adm continues to work. > 2. (bug #717388) Ensure systemd-journal and adm have read access to >/var/log/journal ...by setting filesystem ACLs as upstream does > 3. (bug #717388) Patch the message in journalctl to make users aware >of the adm group. This is IMHO already fixed. If you look at access_check_var_log_journal in upstream git it will print a list of groups given that you have ACLs enabled and search_acl_groups doesn't fail. Let me know if I can help to drive this further. Cheers, -- Guido > > -- > Best regards, > Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: Bug#717386: systemd-journal group does not exist
On Wed, Jul 24, 2013 at 07:18:21PM -0700, Josh Triplett wrote: > On Thu, Jul 25, 2013 at 03:37:46AM +0200, Michael Biebl wrote: > > Am 25.07.2013 03:22, schrieb Josh Triplett: > > > On Thu, Jul 25, 2013 at 02:44:58AM +0200, Michael Biebl wrote: > > >> Am 20.07.2013 08:18, schrieb Josh Triplett: > > >>> Package: systemd > > >>> Version: 204-1 > > >>> Severity: normal > > >>> File: systemd-journald > > >>> > > >>> systemd-journald expects a group systemd-journal to exist: > > >>> [7.667864] systemd-journald[326]: Failed to resolve > > >>> 'systemd-journal' group: No such process > > >> > > >> Curious, how where you able to trigger this error message? > > >> While I don't have the systemd-journal group either, I'm not able to > > >> reproduce the error message. > > > > > > I booted my system with systemd. :) > > > > nvm, removing "quiet" from the kernel command line does wonders. > > It still shows up with quiet, if you check the logs. I can reproduce this for users not being in the group adm. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: Bug#717386: systemd-journal group does not exist
On Thu, Jul 25, 2013 at 03:37:46AM +0200, Michael Biebl wrote: > Am 25.07.2013 03:22, schrieb Josh Triplett: > > On Thu, Jul 25, 2013 at 02:44:58AM +0200, Michael Biebl wrote: > >> Am 20.07.2013 08:18, schrieb Josh Triplett: > >>> Package: systemd > >>> Version: 204-1 > >>> Severity: normal > >>> File: systemd-journald > >>> > >>> systemd-journald expects a group systemd-journal to exist: > >>> [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' > >>> group: No such process > >> > >> Curious, how where you able to trigger this error message? > >> While I don't have the systemd-journal group either, I'm not able to > >> reproduce the error message. > > > > I booted my system with systemd. :) > > nvm, removing "quiet" from the kernel command line does wonders. It still shows up with quiet, if you check the logs. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: Bug#717386: systemd-journal group does not exist
Am 25.07.2013 03:22, schrieb Josh Triplett: > On Thu, Jul 25, 2013 at 02:44:58AM +0200, Michael Biebl wrote: >> Am 20.07.2013 08:18, schrieb Josh Triplett: >>> Package: systemd >>> Version: 204-1 >>> Severity: normal >>> File: systemd-journald >>> >>> systemd-journald expects a group systemd-journal to exist: >>> [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' >>> group: No such process >> >> Curious, how where you able to trigger this error message? >> While I don't have the systemd-journal group either, I'm not able to >> reproduce the error message. > > I booted my system with systemd. :) nvm, removing "quiet" from the kernel command line does wonders. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: systemd-journal group does not exist
On Thu, Jul 25, 2013 at 02:44:58AM +0200, Michael Biebl wrote: > Am 20.07.2013 08:18, schrieb Josh Triplett: > > Package: systemd > > Version: 204-1 > > Severity: normal > > File: systemd-journald > > > > systemd-journald expects a group systemd-journal to exist: > > [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' > > group: No such process > > Curious, how where you able to trigger this error message? > While I don't have the systemd-journal group either, I'm not able to > reproduce the error message. I booted my system with systemd. :) No other steps required. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: systemd-journal group does not exist
Am 20.07.2013 08:18, schrieb Josh Triplett: > Package: systemd > Version: 204-1 > Severity: normal > File: systemd-journald > > systemd-journald expects a group systemd-journal to exist: > [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' > group: No such process Curious, how where you able to trigger this error message? While I don't have the systemd-journal group either, I'm not able to reproduce the error message. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#717386: [Pkg-systemd-maintainers] Bug#717386: systemd-journal group does not exist
Hi, Josh Triplett writes: >> > However, systemd does not create this group. >> >> As a result, journalctl doesn't work: >> >> , >> | $ journalctl >> | Hint: You are currently not seeing messages from other users and the >> system. >> | Users in the 'systemd-journal' group can see all messages. Pass -q to >> | turn off this notice. >> | No journal files were opened due to insufficient permissions. >> ` I am not sure I buy “journalctl doesn’t work”. It works as intended, you just don’t have the nice feature of being in a special group to get more read access than you currently have. journalctl per se does work, e.g. as root. > Ideally, this message should be extensible to indicate that membership > in the "adm" group works as well, since that's the standard Debian group > to get access to log files. Agreed. Thanks for creating a bug report to track this, it was planned from our side to do this (but after the upload). I see three action items here: 1. (bug #717386) Create the systemd-journal group 2. (bug #717388) Ensure systemd-journal and adm have read access to /var/log/journal 3. (bug #717388) Patch the message in journalctl to make users aware of the adm group. -- Best regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: systemd-journal group does not exist
On Sat, Jul 20, 2013 at 08:36:34AM +0200, Sven Joachim wrote: > On 2013-07-20 08:18 +0200, Josh Triplett wrote: > > systemd-journald expects a group systemd-journal to exist: > > [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' > > group: No such process > > This is almost surely related to this upstream change: > > , > | CHANGES WITH 198: > | > | * The journal files are now owned by a new group > | "systemd-journal", which exists specifically to allow access > | to the journal, and nothing else. Previously, we used the > | "adm" group for that, which however possibly covers more > | than just journal/log file access. This new group is now > | already used by systemd-journal-gatewayd to ensure this > | daemon gets access to the journal files and as little else > | as possible. Note that "make install" will also set FS ACLs > | up for /var/log/journal to give "adm" and "wheel" read > | access to it, in addition to "systemd-journal" which owns > | the journal files. We recommend that packaging scripts also > | add read access to "adm" + "wheel" to /var/log/journal, and > | all existing/future journal files. To normal users and > | administrators little changes, however packagers need to > | ensure to create the "systemd-journal" system group at > | package installation time. > ` The note about adding read access for adm makes sense; that should happen as part of the fix for 717388. > > However, systemd does not create this group. > > As a result, journalctl doesn't work: > > , > | $ journalctl > | Hint: You are currently not seeing messages from other users and the system. > | Users in the 'systemd-journal' group can see all messages. Pass -q to > | turn off this notice. > | No journal files were opened due to insufficient permissions. > ` Ideally, this message should be extensible to indicate that membership in the "adm" group works as well, since that's the standard Debian group to get access to log files. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: systemd-journal group does not exist
On 2013-07-20 08:18 +0200, Josh Triplett wrote: > Package: systemd > Version: 204-1 > Severity: normal > File: systemd-journald > > systemd-journald expects a group systemd-journal to exist: > [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' > group: No such process This is almost surely related to this upstream change: , | CHANGES WITH 198: | | * The journal files are now owned by a new group | "systemd-journal", which exists specifically to allow access | to the journal, and nothing else. Previously, we used the | "adm" group for that, which however possibly covers more | than just journal/log file access. This new group is now | already used by systemd-journal-gatewayd to ensure this | daemon gets access to the journal files and as little else | as possible. Note that "make install" will also set FS ACLs | up for /var/log/journal to give "adm" and "wheel" read | access to it, in addition to "systemd-journal" which owns | the journal files. We recommend that packaging scripts also | add read access to "adm" + "wheel" to /var/log/journal, and | all existing/future journal files. To normal users and | administrators little changes, however packagers need to | ensure to create the "systemd-journal" system group at | package installation time. ` > However, systemd does not create this group. As a result, journalctl doesn't work: , | $ journalctl | Hint: You are currently not seeing messages from other users and the system. | Users in the 'systemd-journal' group can see all messages. Pass -q to | turn off this notice. | No journal files were opened due to insufficient permissions. ` Cheers, Sven -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#717386: systemd-journal group does not exist
Package: systemd Version: 204-1 Severity: normal File: systemd-journald systemd-journald expects a group systemd-journal to exist: [7.667864] systemd-journald[326]: Failed to resolve 'systemd-journal' group: No such process However, systemd does not create this group. - Josh Triplett -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.10-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd depends on: ii initscripts 2.88dsf-43 ii libacl1 2.2.52-1 ii libaudit01:1.7.18-1.1 ii libc62.17-7 ii libcap2 1:2.22-1.2 ii libcryptsetup4 2:1.6.1-1 ii libdbus-1-3 1.6.12-1 ii libgcrypt11 1.5.2-3 ii libkmod2 9-3 ii liblzma5 5.1.1alpha+20120614-2 ii libpam0g 1.1.3-9 ii libselinux1 2.1.13-2 ii libsystemd-daemon0 44-12 ii libsystemd-journal0 204-1 ii libudev1 204-1 ii libwrap0 7.6.q-24 ii udev 204-1 ii util-linux 2.20.1-5.5 Versions of packages systemd recommends: pn libpam-systemd Versions of packages systemd suggests: pn systemd-ui -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org