mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-10 01:17:44 +03:00
journalctl: move access_check() to shared/
The only functional change is that log_notice("No journal files were found.") is not printed any more with --quiet. log_error("No journal files were opened due to insufficient permissions.") is still printed. I wasn't quite sure where to put this function, but shared/ seems to be the right place and none of the existing files seem to fit too well. v2: rename journal_access_check to journal_access_check_and_warn.
This commit is contained in:
parent
7d8e7c0e19
commit
4f37cbd911
@ -1037,6 +1037,8 @@ libshared_la_SOURCES = \
|
|||||||
src/shared/apparmor-util.h \
|
src/shared/apparmor-util.h \
|
||||||
src/shared/ima-util.c \
|
src/shared/ima-util.c \
|
||||||
src/shared/ima-util.h \
|
src/shared/ima-util.h \
|
||||||
|
src/shared/journal-util.c \
|
||||||
|
src/shared/journal-util.h \
|
||||||
src/shared/ptyfwd.c \
|
src/shared/ptyfwd.c \
|
||||||
src/shared/ptyfwd.h \
|
src/shared/ptyfwd.h \
|
||||||
src/shared/base-filesystem.c \
|
src/shared/base-filesystem.c \
|
||||||
|
@ -52,6 +52,7 @@
|
|||||||
#include "journal-def.h"
|
#include "journal-def.h"
|
||||||
#include "journal-internal.h"
|
#include "journal-internal.h"
|
||||||
#include "journal-qrcode.h"
|
#include "journal-qrcode.h"
|
||||||
|
#include "journal-util.h"
|
||||||
#include "journal-vacuum.h"
|
#include "journal-vacuum.h"
|
||||||
#include "journal-verify.h"
|
#include "journal-verify.h"
|
||||||
#include "locale-util.h"
|
#include "locale-util.h"
|
||||||
@ -1805,131 +1806,6 @@ static int verify(sd_journal *j) {
|
|||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int access_check_var_log_journal(sd_journal *j) {
|
|
||||||
#ifdef HAVE_ACL
|
|
||||||
_cleanup_strv_free_ char **g = NULL;
|
|
||||||
const char* dir;
|
|
||||||
#endif
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(j);
|
|
||||||
|
|
||||||
if (arg_quiet)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* If we are root, we should have access, don't warn. */
|
|
||||||
if (getuid() == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* If we are in the 'systemd-journal' group, we should have
|
|
||||||
* access too. */
|
|
||||||
r = in_group("systemd-journal");
|
|
||||||
if (r < 0)
|
|
||||||
return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
|
|
||||||
if (r > 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef HAVE_ACL
|
|
||||||
if (laccess("/run/log/journal", F_OK) >= 0)
|
|
||||||
dir = "/run/log/journal";
|
|
||||||
else
|
|
||||||
dir = "/var/log/journal";
|
|
||||||
|
|
||||||
/* If we are in any of the groups listed in the journal ACLs,
|
|
||||||
* then all is good, too. Let's enumerate all groups from the
|
|
||||||
* default ACL of the directory, which generally should allow
|
|
||||||
* access to most journal files too. */
|
|
||||||
r = acl_search_groups(dir, &g);
|
|
||||||
if (r < 0)
|
|
||||||
return log_error_errno(r, "Failed to search journal ACL: %m");
|
|
||||||
if (r > 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* Print a pretty list, if there were ACLs set. */
|
|
||||||
if (!strv_isempty(g)) {
|
|
||||||
_cleanup_free_ char *s = NULL;
|
|
||||||
|
|
||||||
/* Thre are groups in the ACL, let's list them */
|
|
||||||
r = strv_extend(&g, "systemd-journal");
|
|
||||||
if (r < 0)
|
|
||||||
return log_oom();
|
|
||||||
|
|
||||||
strv_sort(g);
|
|
||||||
strv_uniq(g);
|
|
||||||
|
|
||||||
s = strv_join(g, "', '");
|
|
||||||
if (!s)
|
|
||||||
return log_oom();
|
|
||||||
|
|
||||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
|
||||||
" Users in groups '%s' can see all messages.\n"
|
|
||||||
" Pass -q to turn off this notice.", s);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* If no ACLs were found, print a short version of the message. */
|
|
||||||
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
|
||||||
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
|
|
||||||
" turn off this notice.");
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int access_check(sd_journal *j) {
|
|
||||||
Iterator it;
|
|
||||||
void *code;
|
|
||||||
char *path;
|
|
||||||
int r = 0;
|
|
||||||
|
|
||||||
assert(j);
|
|
||||||
|
|
||||||
if (hashmap_isempty(j->errors)) {
|
|
||||||
if (ordered_hashmap_isempty(j->files))
|
|
||||||
log_notice("No journal files were found.");
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
|
|
||||||
(void) access_check_var_log_journal(j);
|
|
||||||
|
|
||||||
if (ordered_hashmap_isempty(j->files))
|
|
||||||
r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
|
|
||||||
}
|
|
||||||
|
|
||||||
HASHMAP_FOREACH_KEY(path, code, j->errors, it) {
|
|
||||||
int err;
|
|
||||||
|
|
||||||
err = abs(PTR_TO_INT(code));
|
|
||||||
|
|
||||||
switch (err) {
|
|
||||||
case EACCES:
|
|
||||||
continue;
|
|
||||||
|
|
||||||
case ENODATA:
|
|
||||||
log_warning_errno(err, "Journal file %s is truncated, ignoring file.", path);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case EPROTONOSUPPORT:
|
|
||||||
log_warning_errno(err, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
|
|
||||||
"Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
|
|
||||||
path);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case EBADMSG:
|
|
||||||
log_warning_errno(err, "Journal file %s corrupted, ignoring file.", path);
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
log_warning_errno(err, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int flush_to_var(void) {
|
static int flush_to_var(void) {
|
||||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||||
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
|
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
|
||||||
@ -2241,7 +2117,7 @@ int main(int argc, char *argv[]) {
|
|||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = access_check(j);
|
r = journal_access_check_and_warn(j, arg_quiet);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
|
151
src/shared/journal-util.c
Normal file
151
src/shared/journal-util.c
Normal file
@ -0,0 +1,151 @@
|
|||||||
|
/***
|
||||||
|
This file is part of systemd.
|
||||||
|
|
||||||
|
Copyright 2013 Zbigniew Jędrzejewski-Szmek
|
||||||
|
Copyright 2015 Lennart Poettering
|
||||||
|
|
||||||
|
systemd is free software; you can redistribute it and/or modify it
|
||||||
|
under the terms of the GNU Lesser General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
systemd is distributed in the hope that it will be useful, but
|
||||||
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Lesser General Public License
|
||||||
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
***/
|
||||||
|
|
||||||
|
#include "acl-util.h"
|
||||||
|
#include "fs-util.h"
|
||||||
|
#include "hashmap.h"
|
||||||
|
#include "journal-internal.h"
|
||||||
|
#include "journal-util.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "strv.h"
|
||||||
|
#include "user-util.h"
|
||||||
|
|
||||||
|
static int access_check_var_log_journal(sd_journal *j) {
|
||||||
|
#ifdef HAVE_ACL
|
||||||
|
_cleanup_strv_free_ char **g = NULL;
|
||||||
|
const char* dir;
|
||||||
|
#endif
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(j);
|
||||||
|
|
||||||
|
/* If we are root, we should have access, don't warn. */
|
||||||
|
if (getuid() == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* If we are in the 'systemd-journal' group, we should have
|
||||||
|
* access too. */
|
||||||
|
r = in_group("systemd-journal");
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
|
||||||
|
if (r > 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#ifdef HAVE_ACL
|
||||||
|
if (laccess("/run/log/journal", F_OK) >= 0)
|
||||||
|
dir = "/run/log/journal";
|
||||||
|
else
|
||||||
|
dir = "/var/log/journal";
|
||||||
|
|
||||||
|
/* If we are in any of the groups listed in the journal ACLs,
|
||||||
|
* then all is good, too. Let's enumerate all groups from the
|
||||||
|
* default ACL of the directory, which generally should allow
|
||||||
|
* access to most journal files too. */
|
||||||
|
r = acl_search_groups(dir, &g);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to search journal ACL: %m");
|
||||||
|
if (r > 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Print a pretty list, if there were ACLs set. */
|
||||||
|
if (!strv_isempty(g)) {
|
||||||
|
_cleanup_free_ char *s = NULL;
|
||||||
|
|
||||||
|
/* Thre are groups in the ACL, let's list them */
|
||||||
|
r = strv_extend(&g, "systemd-journal");
|
||||||
|
if (r < 0)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
strv_sort(g);
|
||||||
|
strv_uniq(g);
|
||||||
|
|
||||||
|
s = strv_join(g, "', '");
|
||||||
|
if (!s)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||||
|
" Users in groups '%s' can see all messages.\n"
|
||||||
|
" Pass -q to turn off this notice.", s);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* If no ACLs were found, print a short version of the message. */
|
||||||
|
log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
|
||||||
|
" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
|
||||||
|
" turn off this notice.");
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int journal_access_check_and_warn(sd_journal *j, bool quiet) {
|
||||||
|
Iterator it;
|
||||||
|
void *code;
|
||||||
|
char *path;
|
||||||
|
int r = 0;
|
||||||
|
|
||||||
|
assert(j);
|
||||||
|
|
||||||
|
if (hashmap_isempty(j->errors)) {
|
||||||
|
if (ordered_hashmap_isempty(j->files) && !quiet)
|
||||||
|
log_notice("No journal files were found.");
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
|
||||||
|
if (!quiet)
|
||||||
|
(void) access_check_var_log_journal(j);
|
||||||
|
|
||||||
|
if (ordered_hashmap_isempty(j->files))
|
||||||
|
r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
|
||||||
|
}
|
||||||
|
|
||||||
|
HASHMAP_FOREACH_KEY(path, code, j->errors, it) {
|
||||||
|
int err;
|
||||||
|
|
||||||
|
err = abs(PTR_TO_INT(code));
|
||||||
|
|
||||||
|
switch (err) {
|
||||||
|
case EACCES:
|
||||||
|
continue;
|
||||||
|
|
||||||
|
case ENODATA:
|
||||||
|
log_warning_errno(err, "Journal file %s is truncated, ignoring file.", path);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case EPROTONOSUPPORT:
|
||||||
|
log_warning_errno(err, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
|
||||||
|
"Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
|
||||||
|
path);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case EBADMSG:
|
||||||
|
log_warning_errno(err, "Journal file %s corrupted, ignoring file.", path);
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
log_warning_errno(err, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
25
src/shared/journal-util.h
Normal file
25
src/shared/journal-util.h
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
/***
|
||||||
|
This file is part of systemd.
|
||||||
|
|
||||||
|
Copyright 2013 Zbigniew Jędrzejewski-Szmek
|
||||||
|
Copyright 2015 Lennart Poettering
|
||||||
|
|
||||||
|
systemd is free software; you can redistribute it and/or modify it
|
||||||
|
under the terms of the GNU Lesser General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
systemd is distributed in the hope that it will be useful, but
|
||||||
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Lesser General Public License
|
||||||
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
***/
|
||||||
|
|
||||||
|
#include <stdbool.h>
|
||||||
|
|
||||||
|
#include "sd-journal.h"
|
||||||
|
|
||||||
|
int journal_access_check_and_warn(sd_journal *j, bool quiet);
|
Loading…
Reference in New Issue
Block a user