On Mon, Feb 03, 2020 at 09:44:19AM +0100, Michael Biebl wrote: > Am 03.02.20 um 09:30 schrieb Marc Haber: > > group::r-x #effective:r-- > > group:adm:r-x #effective:r-- > > Just to be clear: you mean this x bit set for group/group:adm which is > not in effect (in effect is r-- due to the mask) > So is there actually a problem?
The problem is that aide notices the changes and duly reports it. And I think it's an unintended change and would like to not being forced to mask that. > Afaics, this is just a result of how the permissions/ACLs are setup for > /run/log/journal/$machineid > > If you create a file via touch in that directory, it should have the > same permissions as the journal files, right? [2/1541]mh@roll:~ $ sudo touch /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo [sudo] password for mh on roll: [3/1542]mh@roll:~ $ ls -al /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/total 9,9M drwxr-s---+ 2 root systemd-journal 100 Feb 3 15:44 ./ drwxr-sr-x 3 root systemd-journal 60 Feb 3 08:48 ../ -rw-r-----+ 1 root systemd-journal 0 Feb 3 15:44 foo -rw-r-----+ 1 root systemd-journal 5,0M Feb 3 09:28 system\@2914964836b94758b67f1e5882bed2d2-0000000000000001-00059da724f09f96.journal -rw-r-----+ 1 root systemd-journal 5,0M Feb 3 15:44 system.journal [4/1543]mh@roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/foo # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- [5/1544]mh@roll:~ $ getfacl /run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal getfacl: Removing leading '/' from absolute path names # file: run/log/journal/a663cb108c444a01ac0802d96eb0bccc/system.journal # owner: root # group: systemd-journal user::rw- group::r-x #effective:r-- group:adm:r-x #effective:r-- mask::r-- other::--- [6/1545]mh@roll:~ $ Looks like that, but why are the acls on the rotated file (that should simply be a rename, right?) also changin? Currently, /usr/lib/tmpfiles.d/systemd.conf has: d /run/log 0755 root root - z /run/log/journal 2755 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - a+ /run/log/journal/%m - - - - d:group:adm:r-x a+ /run/log/journal/%m - - - - group:adm:r-x a+ /run/log/journal/%m/*.journal* - - - - group:adm:r-- z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - z /var/log/journal/%m/system.journal 0640 root systemd-journal - - a+ /var/log/journal - - - - d:group::r-x,d:group:adm:r-x a+ /var/log/journal - - - - group::r-x,group:adm:r-x a+ /var/log/journal/%m - - - - d:group:adm:r-x a+ /var/log/journal/%m - - - - group:adm:r-x a+ /var/log/journal/%m/system.journal - - - - group:adm:r-- d /var/log/private 0700 root root - What would need to change to have the directory directly created with the appropriate permissions that matches the one that gets set in log rotation? I see that we're rapidly approaching a solution. I really appreciate that. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
