5 files changed, 64 insertions, 11 deletions

diff --git a/Makefile.am b/Makefile.am
index 3d3f2652f..13211c45b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2563,9 +2563,16 @@ libsystemd_journal_internal_la_LIBADD += \
 	$(GCRYPT_LIBS)
 endif
 
-# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
+# move lib from $(libdir) to $(rootlibdir) and update devel link, if
+# needed. Also, grant read access to new journal files to members of
+# "adm" and "wheel".
 libsystemd-journal-install-hook:
 	libname=libsystemd-journal.so && $(move-to-rootlibdir)
+	$(MKDIR_P) $(DESTDIR)/var/log/journal
+	-chown 0:0 $(DESTDIR)/var/log/journal
+	-chmod 755 $(DESTDIR)/var/log/journal
+	-setfacl -nm g:adm:rx,d:g:adm:rx $(DESTDIR)/var/log/journal/
+	-setfacl -nm g:wheel:rx,d:g:wheel:rx $(DESTDIR)/var/log/journal/
 
 libsystemd-journal-uninstall-hook:
 	rm -f $(DESTDIR)$(rootlibdir)/libsystemd-journal.so*
diff --git a/README b/README
index d8b1b1296..300a4cf8b 100644
--- a/README
+++ b/README
@@ -100,6 +100,19 @@ REQUIREMENTS:
         being 'html' or 'latexpdf'. If using DESTDIR for installation,
         pass the same DESTDIR to 'make sphinx-html' invocation.
 
+USERS AND GROUPS:
+        During runtime the journal daemon requires the
+        "system-journal" system group to exist. New journal files will
+        be readable by this group (but not writable) which may be used
+        to grant specific users read access.
+
+        It is also recommended to grant read access to all journal
+        files to the system groups "wheel" and "adm" with a command
+        like the following in the post installation script of the
+        package:
+
+        # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 4969ab19c..bc32c8e38 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -158,6 +158,38 @@
                 </variablelist>
         </refsect1>
 
+        <refsect1>
+                <title>Access Control</title>
+
+                <para>Journal files are by default owned and readable
+                by the <literal>systemd-journal</literal> system group
+                (but not writable). Adding a user to this group thus
+                enables her/him to read the journal files.</para>
+
+                <para>By default, each logged in user will get her/his
+                own set of journal files in
+                <filename>/var/log/journal/</filename>. These files
+                will not be owned by the user however, in order to
+                avoid that the user can write to them
+                directly. Instead, file system ACLs are used to ensure
+                the user gets read access only.</para>
+
+                <para>Additional users and groups may be granted
+                access to journal files via file system access control
+                lists (ACL). Distributions and administrators may
+                choose to grant read access to all members of the
+                <literal>wheel</literal> and <literal>adm</literal>
+                system groups with a command such as the
+                following:</para>
+
+                <programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting>
+
+                <para>Note that this command will update the ACLs both
+                for existing journal files and for future journal
+                files created in the
+                <filename>/var/log/journal/</filename>
+                directory.</para>
+        </refsect1>
 
         <refsect1>
                 <title>See Also</title>
@@ -166,7 +198,8 @@
                         <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                         <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-                        <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+                        <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+                        <citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                 </para>
         </refsect1>
 
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index d898ae717..cb93fea63 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -870,16 +870,16 @@ static int verify(sd_journal *j) {
 static int access_check(void) {
 
 #ifdef HAVE_ACL
-        if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) {
-                log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages.");
+        if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("systemd-journal") <= 0) {
+                log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'systemd-journal' can always see messages.");
                 return -EACCES;
         }
 
-        if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
-                log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off.");
+        if (!arg_quiet && geteuid() != 0 && in_group("systemd-journal") <= 0)
+                log_warning("Showing user generated messages only. Users in the group 'systemd-journal' can see all messages. Pass -q to turn this notice off.");
 #else
-        if (geteuid() != 0 && in_group("adm") <= 0) {
-                log_error("No access to messages. Only users in the group 'adm' can see messages.");
+        if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
+                log_error("No access to messages. Only users in the group 'systemd-journal' can see messages.");
                 return -EACCES;
         }
 #endif
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 654f7ace2..ac565c7ec 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -174,7 +174,7 @@ static uint64_t available_space(Server *s) {
 }
 
 static void server_read_file_gid(Server *s) {
-        const char *adm = "adm";
+        const char *g = "systemd-journal";
         int r;
 
         assert(s);
@@ -182,9 +182,9 @@ static void server_read_file_gid(Server *s) {
         if (s->file_gid_valid)
                 return;
 
-        r = get_group_creds(&adm, &s->file_gid);
+        r = get_group_creds(&g, &s->file_gid);
         if (r < 0)
-                log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+                log_warning("Failed to resolve '%s' group: %s", g, strerror(-r));
 
         /* if we couldn't read the gid, then it will be 0, but that's
          * fine and we shouldn't try to resolve the group again, so