mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-31 07:51:08 +03:00
journalctl: various fixes to the access check logic
- Reword messages a bit - Correct check whether EACCES is in the set of errors - Don't complain if no journal files are found - allocate Set object for errors lazily since in the best case we don't need it at all. - don't consider it an error if /run/log/journal doesn't exist (because that's the usual case actually, if storage is enabled)
This commit is contained in:
parent
a5a5ade34c
commit
3ac251b81a
@ -905,9 +905,9 @@ static int access_check_var_log_journal(sd_journal *j) {
|
||||
if (!have_access) {
|
||||
|
||||
if (strv_isempty(g))
|
||||
log_notice("Hint: You are currently not seeing messages from other users and\n"
|
||||
"the system. Users in the group 'systemd-journal' can see all messages.\n"
|
||||
"Pass -q to turn this notice off.");
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
|
||||
" turn off this notice.");
|
||||
else {
|
||||
_cleanup_free_ char *s = NULL;
|
||||
|
||||
@ -923,8 +923,8 @@ static int access_check_var_log_journal(sd_journal *j) {
|
||||
return log_oom();
|
||||
|
||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||
"Users in the groups '%s' can see all messages.\n"
|
||||
"Pass -q to turn this notice off.", s);
|
||||
" Users in the groups '%s' can see all messages.\n"
|
||||
" Pass -q to turn off this notice.", s);
|
||||
}
|
||||
}
|
||||
|
||||
@ -933,29 +933,27 @@ static int access_check_var_log_journal(sd_journal *j) {
|
||||
#endif
|
||||
|
||||
static int access_check(sd_journal *j) {
|
||||
uint64_t eacces = EACCES, *code;
|
||||
Iterator it;
|
||||
void *code;
|
||||
int r = 0;
|
||||
|
||||
assert(j);
|
||||
assert(j->errors);
|
||||
assert(j->files);
|
||||
|
||||
if (set_isempty(j->errors)) {
|
||||
if (hashmap_isempty(j->files))
|
||||
log_info("No journal files were found.");
|
||||
log_notice("No journal files were found.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!set_contains(j->errors, &eacces)) {
|
||||
if (set_contains(j->errors, INT_TO_PTR(-EACCES))) {
|
||||
#ifdef HAVE_ACL
|
||||
/* If /var/log/journal doesn't even exist,
|
||||
unprivileged users have no access at all */
|
||||
* unprivileged users have no access at all */
|
||||
if (access("/var/log/journal", F_OK) < 0 &&
|
||||
geteuid() != 0 &&
|
||||
in_group("systemd-journal") <= 0) {
|
||||
log_error("Unprivileged users can't see messages unless persistent log storage\n"
|
||||
"is enabled. Users in the group 'systemd-journal' can always see messages.");
|
||||
log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
|
||||
"enabled. Users in the 'systemd-journal' group may always access messages.");
|
||||
return -EACCES;
|
||||
}
|
||||
|
||||
@ -967,26 +965,30 @@ static int access_check(sd_journal *j) {
|
||||
return r;
|
||||
}
|
||||
#else
|
||||
if (geteuid() != 0 && in_group("systemd-journal") <= 0)
|
||||
log_error("No access to messages.\n"
|
||||
"Users in the group 'systemd-journal' can see messages.");
|
||||
if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
|
||||
log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
|
||||
"group may access messages.");
|
||||
return -EACCES;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (hashmap_isempty(j->files)) {
|
||||
log_error("No journal files were opened, due to insufficient permissions.");
|
||||
log_error("No journal files were opened due to insufficient permissions.");
|
||||
r = -EACCES;
|
||||
}
|
||||
}
|
||||
|
||||
SET_FOREACH(code, j->errors, it) {
|
||||
int err = -PTR_TO_INT(code);
|
||||
int err;
|
||||
|
||||
err = -PTR_TO_INT(code);
|
||||
assert(err > 0);
|
||||
|
||||
if (err != EACCES)
|
||||
log_warning("Error was encountered while opening journal files: %s",
|
||||
strerror(err));
|
||||
}
|
||||
|
||||
log_notice("Hint: run journalctl in debug mode: SYSTEMD_LOG_LEVEL=debug journalct ...");
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
|
@ -51,11 +51,17 @@
|
||||
|
||||
/* We return an error here only if we didn't manage to
|
||||
memorize the real error. */
|
||||
static int set_put_error(Set* errors, int r) {
|
||||
static int set_put_error(sd_journal *j, int r) {
|
||||
int k;
|
||||
|
||||
if (r >= 0)
|
||||
return r;
|
||||
|
||||
return set_put(errors, INT_TO_PTR(r));
|
||||
k = set_ensure_allocated(&j->errors, trivial_hash_func, trivial_compare_func);
|
||||
if (k < 0)
|
||||
return k;
|
||||
|
||||
return set_put(j->errors, INT_TO_PTR(r));
|
||||
}
|
||||
|
||||
static void detach_location(sd_journal *j) {
|
||||
@ -1248,7 +1254,7 @@ static int add_file(sd_journal *j, const char *prefix, const char *filename) {
|
||||
|
||||
if (hashmap_size(j->files) >= JOURNAL_FILES_MAX) {
|
||||
log_debug("Too many open journal files, not adding %s, ignoring.", path);
|
||||
return set_put_error(j->errors, -ETOOMANYREFS);
|
||||
return set_put_error(j, -ETOOMANYREFS);
|
||||
}
|
||||
|
||||
r = journal_file_open(path, O_RDONLY, 0, false, false, NULL, j->mmap, NULL, &f);
|
||||
@ -1392,7 +1398,7 @@ static int add_directory(sd_journal *j, const char *prefix, const char *dirname)
|
||||
if (r < 0) {
|
||||
log_debug("Failed to add file %s/%s: %s",
|
||||
m->path, de->d_name, strerror(-r));
|
||||
r = set_put_error(j->errors, r);
|
||||
r = set_put_error(j, r);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -1471,7 +1477,7 @@ static int add_root_directory(sd_journal *j, const char *p) {
|
||||
if (r < 0) {
|
||||
log_debug("Failed to add file %s/%s: %s",
|
||||
m->path, de->d_name, strerror(-r));
|
||||
r = set_put_error(j->errors, r);
|
||||
r = set_put_error(j, r);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
@ -1526,8 +1532,11 @@ static int add_search_paths(sd_journal *j) {
|
||||
|
||||
NULSTR_FOREACH(p, search_paths) {
|
||||
r = add_root_directory(j, p);
|
||||
if (r < 0)
|
||||
return set_put_error(j->errors, r);
|
||||
if (r < 0 && r != -ENOENT) {
|
||||
r = set_put_error(j, r);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -1571,8 +1580,7 @@ static sd_journal *journal_new(int flags, const char *path) {
|
||||
j->files = hashmap_new(string_hash_func, string_compare_func);
|
||||
j->directories_by_path = hashmap_new(string_hash_func, string_compare_func);
|
||||
j->mmap = mmap_cache_new();
|
||||
j->errors = set_new(trivial_hash_func, trivial_compare_func);
|
||||
if (!j->files || !j->directories_by_path || !j->mmap || !j->errors)
|
||||
if (!j->files || !j->directories_by_path || !j->mmap)
|
||||
goto fail;
|
||||
|
||||
return j;
|
||||
@ -1630,7 +1638,7 @@ _public_ int sd_journal_open_directory(sd_journal **ret, const char *path, int f
|
||||
|
||||
r = add_root_directory(j, path);
|
||||
if (r < 0) {
|
||||
set_put_error(j->errors, r);
|
||||
set_put_error(j, r);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@ -1996,7 +2004,7 @@ static void process_inotify_event(sd_journal *j, struct inotify_event *e) {
|
||||
if (r < 0) {
|
||||
log_debug("Failed to add file %s/%s: %s",
|
||||
d->path, e->name, strerror(-r));
|
||||
set_put_error(j->errors, r);
|
||||
set_put_error(j, r);
|
||||
}
|
||||
|
||||
} else if (e->mask & (IN_DELETE|IN_MOVED_FROM|IN_UNMOUNT)) {
|
||||
|
Loading…
Reference in New Issue
Block a user