如何授予读取somegroup
系统日志的只读权限?(我正在使用Debian10破坏者)。
$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
我知道可以将用户添加到systemd-journal
组中,但是如何授予组读取权限?
创建以下文件:
# /etc/tmpfiles.d/somegroup_journal.conf
#Type Path Mode User Group Age Argument
a+ /run/log/journal - - - - d:group:somegroup:r-x
a+ /run/log/journal - - - - group:somegroup:r-x
a+ /run/log/journal/%m - - - - d:group:somegroup:r-x
a+ /run/log/journal/%m - - - - group:somegroup:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:somegroup:r--
a+ /run/log/journal/%m/*.journal* - - - - group:somegroup:r--
man systemd-journald.service(8)具有以下内容:
可以通过文件系统访问控制列表(ACL)授予其他用户和组对日记文件的访问权限。发行版和管理员可以选择使用以下命令向“ wheel”和“ adm”系统组的所有成员授予读取权限:
# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
虽然这听起来很完美,示例接触/var/log/journal/
,但journalctl优先排序/run/log/journal/
这表现在以下来源:
if (laccess("/run/log/journal", F_OK) >= 0)
dir = "/run/log/journal";
else
dir = "/var/log/journal";
/* If we are in any of the groups listed in the journal ACLs,
* then all is good, too. Let's enumerate all groups from the
* default ACL of the directory, which generally should allow
* access to most journal files too. */
r = acl_search_groups(dir, &g);
/run
被安装为tmpfs
,因此以下ACL规则可能不会持续存在:
# setfacl -Rnm g:somegroup:rx,d:g:somegroup:rx /run/log/journal/
要使其保持不变,请配置用于生成的内容/run/log/journal
。浏览更多资源,我们发现tmpfiles.d/systemd.conf.m4
:
z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 systemd-journal - -
m4_ifdef(`HAVE_ACL',`
a+ /run/log/journal/%m - - - - d:group:adm:r-x
a+ /run/log/journal/%m - - - - group:adm:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:adm:r--
')'m4_dnl
这表明需要在中添加ACL规则tmpfiles.d
。上述文件的编译版本可在本地找到/usr/lib/tmpfiles.d/systemd.conf
。将该示例与man tmpfiles.d(5)结合使用可提供一些详细信息,以帮助创建可行的解决方案。
创建以下文件:
# /etc/tmpfiles.d/somegroup_journal.conf
#Type Path Mode User Group Age Argument
a+ /run/log/journal - - - - d:group:somegroup:r-x
a+ /run/log/journal - - - - group:somegroup:r-x
a+ /run/log/journal/%m - - - - d:group:somegroup:r-x
a+ /run/log/journal/%m - - - - group:somegroup:r-x
a+ /run/log/journal/%m/*.journal* - - - - d:group:somegroup:r--
a+ /run/log/journal/%m/*.journal* - - - - group:somegroup:r--
快速测试加上重新启动,确认此功能有效!
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句