[thirdparty/systemd.git] / src / shared / journal-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2013 Zbigniew Jędrzejewski-Szmek
  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "acl-util.h"
#include "fs-util.h"
#include "hashmap.h"
#include "journal-internal.h"
#include "journal-util.h"
#include "log.h"
#include "strv.h"
#include "user-util.h"

static int access_check_var_log_journal(sd_journal *j, bool want_other_users) {
#if HAVE_ACL
        _cleanup_strv_free_ char **g = NULL;
        const char* dir;
#endif
        int r;

        assert(j);

        /* If we are root, we should have access, don't warn. */
        if (getuid() == 0)
                return 0;

        /* If we are in the 'systemd-journal' group, we should have
         * access too. */
        r = in_group("systemd-journal");
        if (r < 0)
                return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
        if (r > 0)
                return 0;

#if HAVE_ACL
        if (laccess("/run/log/journal", F_OK) >= 0)
                dir = "/run/log/journal";
        else
                dir = "/var/log/journal";

        /* If we are in any of the groups listed in the journal ACLs,
         * then all is good, too. Let's enumerate all groups from the
         * default ACL of the directory, which generally should allow
         * access to most journal files too. */
        r = acl_search_groups(dir, &g);
        if (r < 0)
                return log_error_errno(r, "Failed to search journal ACL: %m");
        if (r > 0)
                return 0;

        /* Print a pretty list, if there were ACLs set. */
        if (!strv_isempty(g)) {
                _cleanup_free_ char *s = NULL;

                /* Thre are groups in the ACL, let's list them */
                r = strv_extend(&g, "systemd-journal");
                if (r < 0)
                        return log_oom();

                strv_sort(g);
                strv_uniq(g);

                s = strv_join(g, "', '");
                if (!s)
                        return log_oom();

                log_notice("Hint: You are currently not seeing messages from %s.\n"
                           "      Users in groups '%s' can see all messages.\n"
                           "      Pass -q to turn off this notice.",
                           want_other_users ? "other users and the system" : "the system",
                           s);
                return 1;
        }
#endif

        /* If no ACLs were found, print a short version of the message. */
        log_notice("Hint: You are currently not seeing messages from %s.\n"
                   "      Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
                   "      turn off this notice.",
                   want_other_users ? "other users and the system" : "the system");

        return 1;
}

int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users) {
        Iterator it;
        void *code;
        char *path;
        int r = 0;

        assert(j);

        if (hashmap_isempty(j->errors)) {
                if (ordered_hashmap_isempty(j->files) && !quiet)
                        log_notice("No journal files were found.");

                return 0;
        }

        if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
                if (!quiet)
                        (void) access_check_var_log_journal(j, want_other_users);

                if (ordered_hashmap_isempty(j->files))
                        r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
        }

        HASHMAP_FOREACH_KEY(path, code, j->errors, it) {
                int err;

                err = abs(PTR_TO_INT(code));

                switch (err) {
                case EACCES:
                        continue;

                case ENODATA:
                        log_warning_errno(err, "Journal file %s is truncated, ignoring file.", path);
                        break;

                case EPROTONOSUPPORT:
                        log_warning_errno(err, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
                                               "Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
                                               path);
                        break;

                case EBADMSG:
                        log_warning_errno(err, "Journal file %s corrupted, ignoring file.", path);
                        break;

                default:
                        log_warning_errno(err, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path);
                        break;
                }
        }

        return r;
}

bool journal_field_valid(const char *p, size_t l, bool allow_protected) {
        const char *a;

        /* We kinda enforce POSIX syntax recommendations for
           environment variables here, but make a couple of additional
           requirements.

           http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */

        if (l == (size_t) -1)
                l = strlen(p);

        /* No empty field names */
        if (l <= 0)
                return false;

        /* Don't allow names longer than 64 chars */
        if (l > 64)
                return false;

        /* Variables starting with an underscore are protected */
        if (!allow_protected && p[0] == '_')
                return false;

        /* Don't allow digits as first character */
        if (p[0] >= '0' && p[0] <= '9')
                return false;

        /* Only allow A-Z0-9 and '_' */
        for (a = p; a < p + l; a++)
                if ((*a < 'A' || *a > 'Z') &&
                    (*a < '0' || *a > '9') &&
                    *a != '_')
                        return false;

        return true;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
4f37cbd9 ZJS	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2013 Zbigniew Jędrzejewski-Szmek
	6	Copyright 2015 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include "acl-util.h"
	23	#include "fs-util.h"
	24	#include "hashmap.h"
	25	#include "journal-internal.h"
	26	#include "journal-util.h"
	27	#include "log.h"
	28	#include "strv.h"
	29	#include "user-util.h"
	30
e79d0b59	31	static int access_check_var_log_journal(sd_journal *j, bool want_other_users) {
349cc4a5	32	#if HAVE_ACL
4f37cbd9 ZJS	33	_cleanup_strv_free_ char **g = NULL;
	34	const char* dir;
	35	#endif
	36	int r;
	37
	38	assert(j);
	39
	40	/* If we are root, we should have access, don't warn. */
	41	if (getuid() == 0)
	42	return 0;
	43
	44	/* If we are in the 'systemd-journal' group, we should have
	45	* access too. */
	46	r = in_group("systemd-journal");
	47	if (r < 0)
	48	return log_error_errno(r, "Failed to check if we are in the 'systemd-journal' group: %m");
	49	if (r > 0)
	50	return 0;
	51
349cc4a5	52	#if HAVE_ACL
4f37cbd9 ZJS	53	if (laccess("/run/log/journal", F_OK) >= 0)
	54	dir = "/run/log/journal";
	55	else
	56	dir = "/var/log/journal";
	57
	58	/* If we are in any of the groups listed in the journal ACLs,
	59	* then all is good, too. Let's enumerate all groups from the
	60	* default ACL of the directory, which generally should allow
	61	* access to most journal files too. */
	62	r = acl_search_groups(dir, &g);
	63	if (r < 0)
	64	return log_error_errno(r, "Failed to search journal ACL: %m");
	65	if (r > 0)
	66	return 0;
	67
	68	/* Print a pretty list, if there were ACLs set. */
	69	if (!strv_isempty(g)) {
	70	_cleanup_free_ char *s = NULL;
	71
	72	/* Thre are groups in the ACL, let's list them */
	73	r = strv_extend(&g, "systemd-journal");
	74	if (r < 0)
	75	return log_oom();
	76
	77	strv_sort(g);
	78	strv_uniq(g);
	79
	80	s = strv_join(g, "', '");
	81	if (!s)
	82	return log_oom();
	83
e79d0b59	84	log_notice("Hint: You are currently not seeing messages from %s.\n"
4f37cbd9	85	" Users in groups '%s' can see all messages.\n"
e79d0b59 ZJS	86	" Pass -q to turn off this notice.",
	87	want_other_users ? "other users and the system" : "the system",
	88	s);
4f37cbd9 ZJS	89	return 1;
	90	}
	91	#endif
	92
	93	/* If no ACLs were found, print a short version of the message. */
e79d0b59	94	log_notice("Hint: You are currently not seeing messages from %s.\n"
4f37cbd9	95	" Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
e79d0b59 ZJS	96	" turn off this notice.",
e79d0b59 ZJS	97	want_other_users ? "other users and the system" : "the system");
4f37cbd9 ZJS	98
	99	return 1;
	100	}
	101
e79d0b59	102	int journal_access_check_and_warn(sd_journal *j, bool quiet, bool want_other_users) {
4f37cbd9 ZJS	103	Iterator it;
	104	void *code;
	105	char *path;
	106	int r = 0;
	107
	108	assert(j);
	109
	110	if (hashmap_isempty(j->errors)) {
	111	if (ordered_hashmap_isempty(j->files) && !quiet)
	112	log_notice("No journal files were found.");
	113
	114	return 0;
	115	}
	116
	117	if (hashmap_contains(j->errors, INT_TO_PTR(-EACCES))) {
	118	if (!quiet)
e79d0b59	119	(void) access_check_var_log_journal(j, want_other_users);
4f37cbd9 ZJS	120
	121	if (ordered_hashmap_isempty(j->files))
	122	r = log_error_errno(EACCES, "No journal files were opened due to insufficient permissions.");
	123	}
	124
	125	HASHMAP_FOREACH_KEY(path, code, j->errors, it) {
	126	int err;
	127
	128	err = abs(PTR_TO_INT(code));
	129
	130	switch (err) {
	131	case EACCES:
	132	continue;
	133
	134	case ENODATA:
	135	log_warning_errno(err, "Journal file %s is truncated, ignoring file.", path);
	136	break;
	137
	138	case EPROTONOSUPPORT:
	139	log_warning_errno(err, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
	140	"Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
	141	path);
	142	break;
	143
	144	case EBADMSG:
	145	log_warning_errno(err, "Journal file %s corrupted, ignoring file.", path);
	146	break;
	147
	148	default:
	149	log_warning_errno(err, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path);
	150	break;
	151	}
	152	}
	153
	154	return r;
	155	}
53978b98 LP	156
	157	bool journal_field_valid(const char *p, size_t l, bool allow_protected) {
	158	const char *a;
	159
	160	/* We kinda enforce POSIX syntax recommendations for
	161	environment variables here, but make a couple of additional
	162	requirements.
	163
	164	http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */
	165
	166	if (l == (size_t) -1)
	167	l = strlen(p);
	168
	169	/* No empty field names */
	170	if (l <= 0)
	171	return false;
	172
	173	/* Don't allow names longer than 64 chars */
	174	if (l > 64)
	175	return false;
	176
	177	/* Variables starting with an underscore are protected */
	178	if (!allow_protected && p[0] == '_')
	179	return false;
	180
	181	/* Don't allow digits as first character */
	182	if (p[0] >= '0' && p[0] <= '9')
	183	return false;
	184
	185	/* Only allow A-Z0-9 and '_' */
	186	for (a = p; a < p + l; a++)
	187	if ((a < 'A' \|\| a > 'Z') &&
	188	(a < '0' \|\| a > '9') &&
	189	*a != '_')
	190	return false;
	191
	192	return true;
	193	}