build-sys: move acl searching code into libsystemd-acl

[elogind.git] / src / journal / journalctl.c

diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index ddadc21338ffb61a35442446692fb9c2963e3519..8543adfb8a1d2d52ac65e72545fe505d552fce4d 100644 (file)
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -35,6 +35,11 @@
 #include <sys/ioctl.h>
 #include <linux/fs.h>
 
+#ifdef HAVE_ACL
+#include <sys/acl.h>
+#include "acl-util.h"
+#endif
+
 #include <systemd/sd-journal.h>
 
 #include "log.h"
@@ -881,13 +886,52 @@ static int verify(sd_journal *j) {
 static int access_check(void) {
 
 #ifdef HAVE_ACL
+        /* If /var/log/journal doesn't even exist, unprivileged users have no access at all */
         if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
                 log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
                 return -EACCES;
         }
 
-        if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
-                log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
+        /* If /var/log/journal exists, try to pring a nice notice if the user lacks access to it */
+        if (!arg_quiet && geteuid() != 0) {
+                _cleanup_strv_free_ char **g = NULL;
+                bool have_access;
+                int r;
+
+                have_access = in_group("systemd-journal") > 0;
+
+                if (!have_access) {
+                        /* Let's enumerate all groups from the default
+                         * ACL of the directory, which generally
+                         * should allow access to most journal
+                         * files too */
+                        r = search_acl_groups(&g, "/var/log/journal/", &have_access);
+                        if (r < 0)
+                                return r;
+                }
+
+                if (!have_access) {
+
+                        if (strv_isempty(g))
+                                log_notice("Hint: You are currently not seeing messages from other users and the system. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
+                        else {
+                                _cleanup_free_ char *s = NULL;
+
+                                r = strv_extend(&g, "systemd-journal");
+                                if (r < 0)
+                                        return log_oom();
+
+                                strv_sort(g);
+                                strv_uniq(g);
+
+                                s = strv_join(g, "', '");
+                                if (!s)
+                                        return log_oom();
+
+                                log_notice("Hint: You are currently not seeing messages from other users and the system. Users in the groups '%s' can see all messages. Pass -q to turn this notice off.", s);
+                        }
+                }
+        }
 #else
         if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
                 log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");