journalctl: improve hint about lack of access for --user-unit=...

When running journalctl --user-unit=foo as an unprivileged user we could get
the usual hint:
Hint: You are currently not seeing messages from the system and other users.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      ...
But with --user-unit our filter is:
(((_UID=0 OR _UID=1000) AND OBJECT_SYSTEMD_USER_UNIT=foo.service) OR
 ((_UID=0 OR _UID=1000) AND COREDUMP_USER_UNIT=foo.service) OR
 (_UID=1000 AND USER_UNIT=foo.service) OR
 (_UID=1000 AND _SYSTEMD_USER_UNIT=foo.service))
so we would never see messages from other users.

We could still see messages from the system. In fact, on my machine the
only messages with OBJECT_SYSTEMD_USER_UNIT= are from the system:
journalctl  $(journalctl -F OBJECT_SYSTEMD_USER_UNIT|sed 's/.*/OBJECT_SYSTEMD_USER_UNIT=\0/')

Thus, a more correct hint is that we cannot see messages from the system.
Make it so.

Fixes #7887.

diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c
index 96e4a3e7e22cb9595c7e1fbabc178e4dbd5ad0df..09178d5035e30366abca9a93e7d0f53fb2d4df88 100644 (file)
--- a/src/coredump/coredumpctl.c
+++ b/src/coredump/coredumpctl.c
@@ -1040,7 +1040,7 @@ int main(int argc, char *argv[]) {
                 }
         }
 
-        r = journal_access_check_and_warn(j, arg_quiet);
+        r = journal_access_check_and_warn(j, arg_quiet, true);
         if (r < 0)
                 goto end;
 

diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index 0aa4c1f7724d6757d9e75a95329a9d6495ba2b61..02715142e91461c58c4f10b1b1f25cd9fc4cf40e 100644 (file)
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -972,8 +972,7 @@ static int parse_argv(int argc, char *argv[]) {
                 return -EINVAL;
         }
 
-        if (!strv_isempty(arg_system_units) && (arg_journal_type == SD_JOURNAL_CURRENT_USER)) {
-
+        if (!strv_isempty(arg_system_units) && arg_journal_type == SD_JOURNAL_CURRENT_USER) {
                 /* Specifying --user and --unit= at the same time makes no sense (as the former excludes the user
                  * journal, but the latter excludes the system journal, thus resulting in empty output). Let's be nice
                  * to users, and automatically turn --unit= into --user-unit= if combined with --user. */
@@ -2241,7 +2240,8 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        r = journal_access_check_and_warn(j, arg_quiet);
+        r = journal_access_check_and_warn(j, arg_quiet,
+                                          !(arg_journal_type == SD_JOURNAL_CURRENT_USER || arg_user_units));
         if (r < 0)
                 goto finish;
 

diff --git a/src/shared/journal-util.c b/src/shared/journal-util.c
index eb7a75295fc20a82d9cf4b6754162b4007572bd8..7d53f9dd5646f1a54edfdffbef9ac08cf1628640 100644 (file)
--- a/src/shared/journal-util.c
+++ b/src/shared/journal-util.c
@@ -28,7 +28,7 @@
 #include "strv.h"
 #include "user-util.h"
 
-static int access_check_var_log_journal(sd_journal *j) {
+static int access_check_var_log_journal(sd_journal *j, bool want_other_users) {
 #if HAVE_ACL
         _cleanup_strv_free_ char **g = NULL;
         const char* dir;
@@ -81,22 +81,25 @@ static int access_check_var_log_journal(sd_journal *j) {
                 if (!s)
                         return log_oom();
 
-                log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
+                log_notice("Hint: You are currently not seeing messages from %s.\n"
                            "      Users in groups '%s' can see all messages.\n"
-                           "      Pass -q to turn off this notice.", s);
+                           "      Pass -q to turn off this notice.",
+                           want_other_users ? "other users and the system" : "the system",
+                           s);
                 return 1;
         }
 #endif
 
         /* If no ACLs were found, print a short version of the message. */
-        log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
+        log_notice("Hint: You are currently not seeing messages from %s.\n"
                    "      Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
-                   "      turn off this notice.");
+                   "      turn off this notice.",
+                   want_other_users ? "other users and the system" : "the system");
 
         return 1;
 }
 
-int journal_access_check_and_warn(sd_journal *j, bool quiet) {
+int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users) {
         Iterator it;
         void *code;
         char *path;
@@ -113,7 +116,7 @@ int journal_access_check_and_warn(sd_journal *j, bool quiet) {
 
         if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
                 if (!quiet)
-                        (void) access_check_var_log_journal(j);
+                        (void) access_check_var_log_journal(j, want_other_users);
 
                 if (ordered_hashmap_isempty(j->files))
                         r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");

diff --git a/src/shared/journal-util.h b/src/shared/journal-util.h
index ef5e314d370a371356e96518d27fc58793e281e5..f973729a32df76f576a5c71cac69ce58ea5ee0ca 100644 (file)
--- a/src/shared/journal-util.h
+++ b/src/shared/journal-util.h
@@ -26,4 +26,4 @@
 
 bool journal_field_valid(const char *p, size_t l, bool allow_protected);
 
-int journal_access_check_and_warn(sd_journal *j, bool quiet);
+int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users);