X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-journald.service.xml;h=2860ae9769e02325f613d27e7eabc8d49068398e;hb=1e158d273bb63883566358cbb886cd4167421df6;hp=abc03df5db99fd57416ef75fd543dc082e8dc5b1;hpb=bb31a4ac1997c189a344caf554f34c6aabc71aa7;p=elogind.git

diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index abc03df5d..2860ae976 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -87,8 +87,8 @@
                 the data.</para>
 
                 <para><filename>systemd-journald</filename> will
-                forward all received log messages to the AF_UNIX
-                SOCK_DGRAM socket
+                forward all received log messages to the <constant>AF_UNIX</constant>
+                <constant>SOCK_DGRAM</constant> socket
                 <filename>/run/systemd/journal/syslog</filename> (if it exists) which
                 may be used by UNIX syslog daemons to process the data
                 further.</para>
@@ -111,13 +111,13 @@
                                 is flushed to
                                 <filename>/var/</filename> in order to
                                 make it persistent (if this is
-                                enabled). This may be used after
+                                enabled). This must be used after
                                 <filename>/var/</filename> is mounted,
-                                but is generally not required since
-                                the first journal write when
-                                <filename>/var/</filename> becomes
-                                writable triggers the flushing
-                                anyway.</para></listitem>
+                                as otherwise log data from
+                                <filename>/run</filename> is never
+                                flushed to <filename>/var</filename>
+                                regardless of the
+                                configuration.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
@@ -137,7 +137,7 @@
                 <filename>journald.conf</filename> may be overridden on
                 the kernel command line:</para>
 
-                <variablelist>
+                <variablelist class='kernel-commandline-options'>
                         <varlistentry>
                                 <term><varname>systemd.journald.forward_to_syslog=</varname></term>
                                 <term><varname>systemd.journald.forward_to_kmsg=</varname></term>
@@ -158,6 +158,38 @@
                 </variablelist>
         </refsect1>
 
+        <refsect1>
+                <title>Access Control</title>
+
+                <para>Journal files are by default owned and readable
+                by the <literal>systemd-journal</literal> system group
+                (but not writable). Adding a user to this group thus
+                enables her/him to read the journal files.</para>
+
+                <para>By default, each logged in user will get her/his
+                own set of journal files in
+                <filename>/var/log/journal/</filename>. These files
+                will not be owned by the user however, in order to
+                avoid that the user can write to them
+                directly. Instead, file system ACLs are used to ensure
+                the user gets read access only.</para>
+
+                <para>Additional users and groups may be granted
+                access to journal files via file system access control
+                lists (ACL). Distributions and administrators may
+                choose to grant read access to all members of the
+                <literal>wheel</literal> and <literal>adm</literal>
+                system groups with a command such as the
+                following:</para>
+
+                <programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting>
+
+                <para>Note that this command will update the ACLs both
+                for existing journal files and for future journal
+                files created in the
+                <filename>/var/log/journal/</filename>
+                directory.</para>
+        </refsect1>
 
         <refsect1>
                 <title>See Also</title>
@@ -166,7 +198,8 @@
                         <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                        <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                        <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+                        <citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                 </para>
         </refsect1>