X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-journald.service.xml;h=2860ae9769e02325f613d27e7eabc8d49068398e;hb=1e158d273bb63883566358cbb886cd4167421df6;hp=43df3e7cfa308dc1504abeaaeff5d61cddb404e5;hpb=4aa6e7782a1b693a8e4fa1d84c87dd76fe1e536d;p=elogind.git

diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 43df3e7cf..2860ae976 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -24,7 +24,7 @@
 <refentry id="systemd-journald.service">
 
         <refentryinfo>
-                <title>systemd-journald</title>
+                <title>systemd-journald.service</title>
                 <productname>systemd</productname>
 
                 <authorgroup>
@@ -38,18 +38,20 @@
         </refentryinfo>
 
         <refmeta>
-                <refentrytitle>systemd-journald</refentrytitle>
+                <refentrytitle>systemd-journald.service</refentrytitle>
                 <manvolnum>8</manvolnum>
         </refmeta>
 
         <refnamediv>
                 <refname>systemd-journald.service</refname>
+                <refname>systemd-journald.socket</refname>
                 <refname>systemd-journald</refname>
-                <refpurpose>systemd Journal Service</refpurpose>
+                <refpurpose>Journal service</refpurpose>
         </refnamediv>
 
         <refsynopsisdiv>
                 <para><filename>systemd-journald.service</filename></para>
+                <para><filename>systemd-journald.socket</filename></para>
                 <para><filename>/usr/lib/systemd/systemd-journald</filename></para>
         </refsynopsisdiv>
 
@@ -85,8 +87,8 @@
                 the data.</para>
 
                 <para><filename>systemd-journald</filename> will
-                forward all received log messages to the AF_UNIX
-                SOCK_DGRAM socket
+                forward all received log messages to the <constant>AF_UNIX</constant>
+                <constant>SOCK_DGRAM</constant> socket
                 <filename>/run/systemd/journal/syslog</filename> (if it exists) which
                 may be used by UNIX syslog daemons to process the data
                 further.</para>
@@ -109,13 +111,13 @@
                                 is flushed to
                                 <filename>/var/</filename> in order to
                                 make it persistent (if this is
-                                enabled). This may be used after
+                                enabled). This must be used after
                                 <filename>/var/</filename> is mounted,
-                                but is generally not required since
-                                the first journal write when
-                                <filename>/var/</filename> becomes
-                                writable triggers the flushing
-                                anyway.</para></listitem>
+                                as otherwise log data from
+                                <filename>/run</filename> is never
+                                flushed to <filename>/var</filename>
+                                regardless of the
+                                configuration.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
@@ -132,10 +134,10 @@
                 <title>Kernel Command Line</title>
 
                 <para>A few configuration parameters from
-                <filename>journald.conf</filename> may be overriden on
+                <filename>journald.conf</filename> may be overridden on
                 the kernel command line:</para>
 
-                <variablelist>
+                <variablelist class='kernel-commandline-options'>
                         <varlistentry>
                                 <term><varname>systemd.journald.forward_to_syslog=</varname></term>
                                 <term><varname>systemd.journald.forward_to_kmsg=</varname></term>
@@ -156,6 +158,38 @@
                 </variablelist>
         </refsect1>
 
+        <refsect1>
+                <title>Access Control</title>
+
+                <para>Journal files are by default owned and readable
+                by the <literal>systemd-journal</literal> system group
+                (but not writable). Adding a user to this group thus
+                enables her/him to read the journal files.</para>
+
+                <para>By default, each logged in user will get her/his
+                own set of journal files in
+                <filename>/var/log/journal/</filename>. These files
+                will not be owned by the user however, in order to
+                avoid that the user can write to them
+                directly. Instead, file system ACLs are used to ensure
+                the user gets read access only.</para>
+
+                <para>Additional users and groups may be granted
+                access to journal files via file system access control
+                lists (ACL). Distributions and administrators may
+                choose to grant read access to all members of the
+                <literal>wheel</literal> and <literal>adm</literal>
+                system groups with a command such as the
+                following:</para>
+
+                <programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting>
+
+                <para>Note that this command will update the ACLs both
+                for existing journal files and for future journal
+                files created in the
+                <filename>/var/log/journal/</filename>
+                directory.</para>
+        </refsect1>
 
         <refsect1>
                 <title>See Also</title>
@@ -163,7 +197,9 @@
                         <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-                        <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+                        <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+                        <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+                        <citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                 </para>
         </refsect1>