X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-journald.service.xml;h=bc32c8e38bd29c942de2967a84846c133597ca7c;hb=01ec23582dc0523831059fc05bedde16efd06576;hp=abc03df5db99fd57416ef75fd543dc082e8dc5b1;hpb=bb31a4ac1997c189a344caf554f34c6aabc71aa7;p=elogind.git
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index abc03df5d..bc32c8e38 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -137,7 +137,7 @@
journald.conf may be overridden on
the kernel command line:
-
+
systemd.journald.forward_to_syslog=
systemd.journald.forward_to_kmsg=
@@ -158,6 +158,38 @@
+
+ Access Control
+
+ Journal files are by default owned and readable
+ by the systemd-journal system group
+ (but not writable). Adding a user to this group thus
+ enables her/him to read the journal files.
+
+ By default, each logged in user will get her/his
+ own set of journal files in
+ /var/log/journal/. These files
+ will not be owned by the user however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.
+
+ Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ wheel and adm
+ system groups with a command such as the
+ following:
+
+ # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
+ Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ /var/log/journal/
+ directory.
+
See Also
@@ -166,7 +198,8 @@
journalctl1,
journald.conf5,
systemd.journal-fields7,
- sd-journal3
+ sd-journal3,
+ setfacl1