#include <sys/ioctl.h>
#include <linux/fs.h>
+#ifdef HAVE_ACL
+#include <sys/acl.h>
+#include "acl-util.h"
+#endif
+
#include <systemd/sd-journal.h>
#include "log.h"
static int access_check(void) {
#ifdef HAVE_ACL
+ /* If /var/log/journal doesn't even exist, unprivileged users have no access at all */
if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
return -EACCES;
}
- if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
- log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
+ /* If /var/log/journal exists, try to pring a nice notice if the user lacks access to it */
+ if (!arg_quiet && geteuid() != 0) {
+ _cleanup_strv_free_ char **g = NULL;
+ bool have_access;
+ int r;
+
+ have_access = in_group("systemd-journal") > 0;
+
+ if (!have_access) {
+ /* Let's enumerate all groups from the default
+ * ACL of the directory, which generally
+ * should allow access to most journal
+ * files too */
+ r = search_acl_groups(&g, "/var/log/journal/", &have_access);
+ if (r < 0)
+ return r;
+ }
+
+ if (!have_access) {
+
+ if (strv_isempty(g))
+ log_notice("Hint: You are currently not seeing messages from other users and the system. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
+ else {
+ _cleanup_free_ char *s = NULL;
+
+ r = strv_extend(&g, "systemd-journal");
+ if (r < 0)
+ return log_oom();
+
+ strv_sort(g);
+ strv_uniq(g);
+
+ s = strv_join(g, "', '");
+ if (!s)
+ return log_oom();
+
+ log_notice("Hint: You are currently not seeing messages from other users and the system. Users in the groups '%s' can see all messages. Pass -q to turn this notice off.", s);
+ }
+ }
+ }
#else
if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");