tmpfiles: don't allow read access to journal files to users not in systemd-journal

Also, don't apply access mode recursively to /var/log/journal/*/, since
that might be quite large, and should be correct anyway.

diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index b07d0504aa80e3baffe2999418014a997c70f164..fbc47823dbb015611464c4a3a9e62b5b6ac69202 100644 (file)
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -20,7 +20,8 @@ d /run/systemd/netif 0755 systemd-network systemd-network -
 d /run/systemd/netif/links 0755 systemd-network systemd-network -
 d /run/systemd/netif/leases 0755 systemd-network systemd-network -
 
-z /var/log/journal 2755 root systemd-journal - -
-Z /var/log/journal/%m ~2755 root systemd-journal - -
 z /run/log/journal 2755 root systemd-journal - -
-Z /run/log/journal/%m ~2755 root systemd-journal - -
+Z /run/log/journal/%m ~2750 root systemd-journal - -
+
+z /var/log/journal 2755 root systemd-journal - -
+z /var/log/journal/%m 2755 root systemd-journal - -