Hi,
----- Original Message -----
> On 15/09/14 11:45, Frank Ch. Eigler wrote:
> > ... Chances are the widget just needs to run as root on that
> > box, unless the kind folks at suse have configured their systemd to
> > accept another uid/gid as fully journalctl-empowered.
>
> Thanks Frank.
>
> By "widget" I assume you mean the systemd pmda, correct?
(yep, that was my understanding of the intent there)
> And is there some place I could look to sniff (Larry Wall style) and
> determine what this uid/gid might be configured to be?
>
>From systemd-journal(8)...
Additional users and groups may be granted access to journal files via
file system access control lists (ACL). Distributions and
administrators may choose to grant read access to all members of the
"wheel" and "adm" system groups with a command such as the following:
# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx
/var/log/journal/
So getfacl(1) could be used to find local users with an appropriate
level of access. Well actually, hmm - this can be changed at runtime
I suppose (i.e. during pmdasystemd's lifetime), so perhaps libacl is
more appropriate (acl_get_fd(3) and similar APIs)?
Ho-hum, I guess the reverse is possible too - an admin can use setfacl
to remove users/groups read access, including adm/wheel on Fedora/RHEL
... erm, hmm, so ... does this PMDA need to run as root anyway? (with
enforcing of uid/gid attribute permission checking for clients ...ISTR
it already has that logic?)
cheers.
--
Nathan
|