X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-journald.service.xml;h=bc32c8e38bd29c942de2967a84846c133597ca7c;hb=5b7d4c1c164d91b8c28c3dcd3921ad9863953ffa;hp=4969ab19c360d10591082a46bc415855de7406e2;hpb=ccc9a4f9ffdab069b0b785627c48962fdadf6d46;p=elogind.git
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 4969ab19c..bc32c8e38 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -158,6 +158,38 @@
+
+ Access Control
+
+ Journal files are by default owned and readable
+ by the systemd-journal system group
+ (but not writable). Adding a user to this group thus
+ enables her/him to read the journal files.
+
+ By default, each logged in user will get her/his
+ own set of journal files in
+ /var/log/journal/. These files
+ will not be owned by the user however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.
+
+ Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ wheel and adm
+ system groups with a command such as the
+ following:
+
+ # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
+ Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ /var/log/journal/
+ directory.
+
See Also
@@ -166,7 +198,8 @@
journalctl1,
journald.conf5,
systemd.journal-fields7,
- sd-journal3
+ sd-journal3,
+ setfacl1