1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 #include "bus-locator.h"
10 #include "journal-internal.h"
11 #include "journal-util.h"
14 #include "user-util.h"
16 static int access_check_var_log_journal(sd_journal
*j
, bool want_other_users
) {
21 /* If we are root, we should have access, don't warn. */
25 /* If we are in the 'systemd-journal' group, we should have
27 r
= in_group("systemd-journal");
29 return log_error_errno(r
, "Failed to check if we are in the 'systemd-journal' group: %m");
34 _cleanup_strv_free_
char **g
= NULL
;
37 if (laccess("/run/log/journal", F_OK
) >= 0)
38 dir
= "/run/log/journal";
40 dir
= "/var/log/journal";
42 /* If we are in any of the groups listed in the journal ACLs,
43 * then all is good, too. Let's enumerate all groups from the
44 * default ACL of the directory, which generally should allow
45 * access to most journal files too. */
46 r
= acl_search_groups(dir
, &g
);
48 return log_error_errno(r
, "Failed to search journal ACL: %m");
52 /* Print a pretty list, if there were ACLs set. */
53 if (!strv_isempty(g
)) {
54 _cleanup_free_
char *s
= NULL
;
56 /* There are groups in the ACL, let's list them */
57 r
= strv_extend(&g
, "systemd-journal");
64 s
= strv_join(g
, "', '");
68 log_notice("Hint: You are currently not seeing messages from %s.\n"
69 " Users in groups '%s' can see all messages.\n"
70 " Pass -q to turn off this notice.",
71 want_other_users
? "other users and the system" : "the system",
77 /* If no ACLs were found, print a short version of the message. */
78 log_notice("Hint: You are currently not seeing messages from %s.\n"
79 " Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
80 " turn off this notice.",
81 want_other_users
? "other users and the system" : "the system");
86 int journal_access_blocked(sd_journal
*j
) {
87 return hashmap_contains(j
->errors
, INT_TO_PTR(-EACCES
));
90 int journal_access_check_and_warn(sd_journal
*j
, bool quiet
, bool want_other_users
) {
97 if (hashmap_isempty(j
->errors
)) {
98 if (ordered_hashmap_isempty(j
->files
) && !quiet
)
99 log_notice("No journal files were found.");
104 if (journal_access_blocked(j
)) {
106 (void) access_check_var_log_journal(j
, want_other_users
);
108 if (ordered_hashmap_isempty(j
->files
))
109 r
= log_error_errno(EACCES
, "No journal files were opened due to insufficient permissions.");
112 HASHMAP_FOREACH_KEY(path
, code
, j
->errors
) {
115 err
= abs(PTR_TO_INT(code
));
122 log_warning_errno(err
, "Journal file %s is truncated, ignoring file.", path
);
125 case EPROTONOSUPPORT
:
126 log_warning_errno(err
, "Journal file %1$s uses an unsupported feature, ignoring file.\n"
127 "Use SYSTEMD_LOG_LEVEL=debug journalctl --file=%1$s to see the details.",
132 log_warning_errno(err
, "Journal file %s corrupted, ignoring file.", path
);
136 log_warning_errno(err
, "Too many journal files (limit is at %u) in scope, ignoring file '%s'.", JOURNAL_FILES_MAX
, path
);
140 log_warning_errno(err
, "An error was encountered while opening journal file or directory %s, ignoring file: %m", path
);
148 int journal_open_machine(sd_journal
**ret
, const char *machine
, int flags
) {
149 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
150 _cleanup_(sd_bus_message_unrefp
) sd_bus_message
*reply
= NULL
;
151 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
152 _cleanup_(sd_journal_closep
) sd_journal
*j
= NULL
;
153 _cleanup_close_
int machine_fd
= -EBADF
;
160 /* The file descriptor returned by OpenMachineRootDirectory() will be owned by users/groups of
161 * the container, thus we need root privileges to override them. */
162 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Using the --machine= switch requires root privileges.");
164 r
= sd_bus_open_system(&bus
);
166 return log_error_errno(r
, "Failed to open system bus: %m");
168 r
= bus_call_method(bus
, bus_machine_mgr
, "OpenMachineRootDirectory", &error
, &reply
, "s", machine
);
170 return log_error_errno(r
, "Failed to open root directory of machine '%s': %s",
171 machine
, bus_error_message(&error
, r
));
173 r
= sd_bus_message_read(reply
, "h", &fd
);
175 return bus_log_parse_error(r
);
177 machine_fd
= fcntl(fd
, F_DUPFD_CLOEXEC
, 3);
179 return log_error_errno(errno
, "Failed to duplicate file descriptor: %m");
181 r
= sd_journal_open_directory_fd(&j
, machine_fd
, SD_JOURNAL_OS_ROOT
| SD_JOURNAL_TAKE_DIRECTORY_FD
| flags
);
183 return log_error_errno(r
, "Failed to open journal in machine '%s': %m", machine
);