From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 5 Mar 2013 18:15:31 +0000 (+0100)
Subject: journal: make gatewayd run under its own user ID
X-Git-Tag: v198~72
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=37495eede95d3212b797c8459d7ed6258fb23c6a;hp=37c0e8f35e92190a22b2ac0fbb23bf396121e84a

journal: make gatewayd run under its own user ID
---

diff --git a/README b/README
index 889c687ba..b6e347ec2 100644
--- a/README
+++ b/README
@@ -101,11 +101,12 @@ REQUIREMENTS:
         pass the same DESTDIR to 'make sphinx-html' invocation.
 
 USERS AND GROUPS:
-        Default udev rules use the following standard system group names,\
-        which need to be resolvable by getgrnam() at any time, even in the
-        very early boot stages, where no other databases and network is
-        available:
-          tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
+        Default udev rules use the following standard system group
+        names, which need to be resolvable by getgrnam() at any time,
+        even in the very early boot stages, where no other databases
+        and network are available:
+
+        tty, dialout, kmem, video, audio, lp, floppy, cdrom, tape, disk
 
         During runtime the journal daemon requires the
         "system-journal" system group to exist. New journal files will
@@ -119,6 +120,11 @@ USERS AND GROUPS:
 
         # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
 
+        The journal gateway daemon requires the
+        "system-journal-gateway" system user and group to
+        exist. During execution this network facing service will drop
+        privileges and assume this uid/gid for security reasons.
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index c3b5c725b..a01ce8da4 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -11,6 +11,9 @@ Requires=systemd-journal-gatewayd.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+User=systemd-journal-gateway
+Group=systemd-journal-gateway
+SupplementaryGroups=systemd-journal
 
 [Install]
 Also=systemd-journal-gatewayd.socket