From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Jun 2014 08:23:16 +0000 (+0200)
Subject: tmpfiles: don't allow read access to journal files to users not in systemd-journal
X-Git-Tag: v214~12
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=176f2acf8dee45fee832fd2ab07243f63783a238

tmpfiles: don't allow read access to journal files to users not in systemd-journal

Also, don't apply access mode recursively to /var/log/journal/*/, since
that might be quite large, and should be correct anyway.
---

diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index b07d0504a..fbc47823d 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -20,7 +20,8 @@ d /run/systemd/netif 0755 systemd-network systemd-network -
 d /run/systemd/netif/links 0755 systemd-network systemd-network -
 d /run/systemd/netif/leases 0755 systemd-network systemd-network -
 
-z /var/log/journal 2755 root systemd-journal - -
-Z /var/log/journal/%m ~2755 root systemd-journal - -
 z /run/log/journal 2755 root systemd-journal - -
-Z /run/log/journal/%m ~2755 root systemd-journal - -
+Z /run/log/journal/%m ~2750 root systemd-journal - -
+
+z /var/log/journal 2755 root systemd-journal - -
+z /var/log/journal/%m 2755 root systemd-journal - -