From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 5 Mar 2013 13:27:34 +0000 (+0100)
Subject: journald: be a bit more careful when spitting up journals by user id
X-Git-Tag: v198~78
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=40adcda869bda55f44b57fd3a2bd71d006dfb51b;p=elogind.git

journald: be a bit more careful when spitting up journals by user id
---

diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index dcfdeaf68..b46a2f63b 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -670,10 +670,19 @@ static void dispatch_message_real(
         assert(n <= m);
 
         if (s->split_mode == SPLIT_UID && realuid > 0)
+                /* Split up strictly by any UID */
                 journal_uid = realuid;
-        else if (s->split_mode == SPLIT_LOGIN && owner_valid && owner > 0)
+        else if (s->split_mode == SPLIT_LOGIN && owner_valid && owner > 0 && realuid > 0)
+                /* Split up by login UIDs, this avoids creation of
+                 * individual journals for system UIDs.  We do this
+                 * only if the realuid is not root, in order not to
+                 * accidentally leak privileged information logged by
+                 * a privileged process that is part of an
+                 * unprivileged session to the user. */
                 journal_uid = owner;
-        else if (s->split_mode == SPLIT_LOGIN && loginuid_valid && loginuid > 0)
+        else if (s->split_mode == SPLIT_LOGIN && loginuid_valid && loginuid > 0 && realuid > 0)
+                /* Hmm, let's try via the audit uids, as fallback,
+                 * just in case */
                 journal_uid = loginuid;
         else
                 journal_uid = 0;