X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-journald.service.xml;h=2860ae9769e02325f613d27e7eabc8d49068398e;hb=1e158d273bb63883566358cbb886cd4167421df6;hp=4969ab19c360d10591082a46bc415855de7406e2;hpb=ccc9a4f9ffdab069b0b785627c48962fdadf6d46;p=elogind.git
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 4969ab19c..2860ae976 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -87,8 +87,8 @@
the data.
systemd-journald will
- forward all received log messages to the AF_UNIX
- SOCK_DGRAM socket
+ forward all received log messages to the AF_UNIX
+ SOCK_DGRAM socket
/run/systemd/journal/syslog (if it exists) which
may be used by UNIX syslog daemons to process the data
further.
@@ -111,13 +111,13 @@
is flushed to
/var/ in order to
make it persistent (if this is
- enabled). This may be used after
+ enabled). This must be used after
/var/ is mounted,
- but is generally not required since
- the first journal write when
- /var/ becomes
- writable triggers the flushing
- anyway.
+ as otherwise log data from
+ /run is never
+ flushed to /var
+ regardless of the
+ configuration.
@@ -158,6 +158,38 @@
+
+ Access Control
+
+ Journal files are by default owned and readable
+ by the systemd-journal system group
+ (but not writable). Adding a user to this group thus
+ enables her/him to read the journal files.
+
+ By default, each logged in user will get her/his
+ own set of journal files in
+ /var/log/journal/. These files
+ will not be owned by the user however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.
+
+ Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ wheel and adm
+ system groups with a command such as the
+ following:
+
+ # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
+ Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ /var/log/journal/
+ directory.
+
See Also
@@ -166,7 +198,8 @@
journalctl1,
journald.conf5,
systemd.journal-fields7,
- sd-journal3
+ sd-journal3,
+ setfacl1