systemd requires HTTP server and serves QR codes

Lennart Poettering mzerqung at 0pointer.de
Tue Oct 9 18:17:41 UTC 2012


On Tue, 09.10.12 10:31, Matthew Miller (mattdm at fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 04:05:10PM +0200, Lennart Poettering wrote:
> > On Tue, 09.10.12 09:49, Matthew Miller (mattdm at fedoraproject.org) wrote:
> > > allowing regular users to do so. (Commonly currently accomplished by making
> > > /var/log/messages owned and readable by the wheel group.)
> > The HTTP thingy is not really how admins should access the logs. They
> > should just use journalctl.
> 
> On a related but tangental note: I notice that journalctl allows access to
> members of the admin group by default. 

Well, I'd say this differently: we _restrict_ access to "adm", in
contrast to the previous logic where everybody was allowed to read
/var/log/messages and only root /var/log/secure.

> In Fedora for the past few releases
> we've followed the tradition of making "wheel" the admin group -- see
> http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-firstboot-systemuser.html
> This is also the case in RHEL 6, so changes here have downstream
> implications.

The way I see this is that "wheel" allows you to *do* privileged things,
but "adm" allows you to *see* privileged things.

Note that "adm" has been widely used for the log purpose on other Linux
distros, most notably Debian and its descendents. On Debian
/var/log/messages defaulted to being private to "adm", and we kinda
wanted to unify things here and though the Debian default is much nicer
than the Fedora default of world-readability of logs, from a security
PoV.

> Could we make that a default on Fedora in addition to adm? (I assume this is
> polkit but can't see it offhand -- hmmm... looks to be hard-coded in the
> source?) I don't really have a strong opinion about whether adm should work
> or not, but wheel should.

Well, we could of course add this as ACL, but I wonder if it wouldn't be
nicer to declare that "adm" is for seeing, and "wheel" for doing as I
suggested above.

> Second, there's a traditional separation between /var/log/secure and
> /var/log/messages. Crucially, the "secure" log may contain
> accidentally-typed user passwords and other privacy-sensitive information.
> How can we do something similar with the systemd journal and
> journalctl?

As mentioned no system messages are user-readable by default in the
journal. We are more secure by default with the journal.

> Ideally, the /var/log/messages data would be available to members of the
> admin group without extra authentication, but seeing the potentially-privacy
> sensitive /var/log/secure should require re-authentication. (As a sysadmin,
> I should be able to safely look at message data with a user looking over my
> shoulder, so I can help them without possibly exposing private information
> about other users on the system.)

Well, honestly the old secure vs. messages split is kinda broken, simply
because old syslog didn't check the originator of messages and hence
unprivileged processes could get have their data spill into the presumed
"secure" logs. Splitting this of based on the "facility" field is fake
securety, and we don't do "fake security" anymore with the journal.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the devel mailing list