journald: set group ownership of journal files to 'adm' by default

[elogind.git] / src / journal / journald.c

diff --git a/src/journal/journald.c b/src/journal/journald.c
index d02030939af0ec2907e52ee182ae852ba5d42d67..33865b812075187b55191dbdc48edf640338ec7a 100644 (file)
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -25,8 +25,6 @@
 #include <sys/signalfd.h>
 #include <unistd.h>
 #include <fcntl.h>
-#include <sys/acl.h>
-#include <acl/libacl.h>
 #include <stddef.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
@@ -40,7 +38,6 @@
 #include "hashmap.h"
 #include "journal-file.h"
 #include "socket-util.h"
-#include "acl-util.h"
 #include "cgroup-util.h"
 #include "list.h"
 #include "journal-rate-limit.h"
@@ -49,6 +46,12 @@
 #include "journald.h"
 #include "virt.h"
 
+#ifdef HAVE_ACL
+#include <sys/acl.h>
+#include <acl/libacl.h>
+#include "acl-util.h"
+#endif
+
 #define USER_JOURNALS_MAX 1024
 #define STDOUT_STREAMS_MAX 4096
 
@@ -180,18 +183,42 @@ finish:
         return avail;
 }
 
-static void fix_perms(JournalFile *f, uid_t uid) {
+static void server_read_file_gid(Server *s) {
+        const char *adm = "adm";
+        int r;
+
+        assert(s);
+
+        if (s->file_gid_valid)
+                return;
+
+        r = get_group_creds(&adm, &s->file_gid);
+        if (r < 0)
+                log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+
+        /* if we couldn't read the gid, then it will be 0, but that's
+         * fine and we shouldn't try to resolve the group again, so
+         * let's just pretend it worked right-away. */
+        s->file_gid_valid = true;
+}
+
+static void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
+        int r;
+#ifdef HAVE_ACL
         acl_t acl;
         acl_entry_t entry;
         acl_permset_t permset;
-        int r;
+#endif
 
         assert(f);
 
-        r = fchmod_and_fchown(f->fd, 0640, 0, 0);
+        server_read_file_gid(s);
+
+        r = fchmod_and_fchown(f->fd, 0640, 0, s->file_gid);
         if (r < 0)
                 log_warning("Failed to fix access mode/rights on %s, ignoring: %s", f->path, strerror(-r));
 
+#ifdef HAVE_ACL
         if (uid <= 0)
                 return;
 
@@ -224,6 +251,7 @@ static void fix_perms(JournalFile *f, uid_t uid) {
 
 finish:
         acl_free(acl);
+#endif
 }
 
 static JournalFile* find_journal(Server *s, uid_t uid) {
@@ -270,7 +298,7 @@ static JournalFile* find_journal(Server *s, uid_t uid) {
         if (r < 0)
                 return s->system_journal;
 
-        fix_perms(f, uid);
+        server_fix_perms(s, f, uid);
         f->metrics = s->system_metrics;
         f->compress = s->compress;
 
@@ -1726,7 +1754,7 @@ static int system_journal_open(Server *s) {
                         s->system_journal->metrics = s->system_metrics;
                         s->system_journal->compress = s->compress;
 
-                        fix_perms(s->system_journal, 0);
+                        server_fix_perms(s, s->system_journal, 0);
                 } else if (r < 0) {
 
                         if (r != -ENOENT && r != -EROFS)
@@ -1779,7 +1807,7 @@ static int system_journal_open(Server *s) {
                         s->runtime_journal->metrics = s->runtime_metrics;
                         s->runtime_journal->compress = s->compress;
 
-                        fix_perms(s->runtime_journal, 0);
+                        server_fix_perms(s, s->runtime_journal, 0);
                 }
         }