units/systemd-journalctl@.service: run with DynamicUser=yes

Follow-up for a109189fabe6a4c307528459f891c2d545361622

This follows the existing practice for
systemd-journal-{upload,gatewayd}.service,
as I think allocating a full-blown user
specifically for this purpose is an overkill.
And with DynamicUser=yes we can also take
advantage of implied sandboxing.

diff --git a/meson.build b/meson.build
index 114318113124ce482afedba589fba6f8bafb90e2..b50466dcfd0ea99fe7a302f9b135eb168bbf3297 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -895,7 +895,6 @@ foreach option : ['adm-gid',
                   'video-gid',
                   'wheel-gid',
                   'systemd-journal-gid',
-                  'systemd-journal-uid',
                   'systemd-network-uid',
                   'systemd-resolve-uid',
                   'systemd-timesync-uid']

diff --git a/meson_options.txt b/meson_options.txt
index 16d7f69611185dec542d71db63a0d67eb03f7f23..c1af7ce2374928010ea673f0b805316fb8491007 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -328,8 +328,6 @@ option('wheel-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "wheel" group')
 option('systemd-journal-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the systemd-journal group')
-option('systemd-journal-uid', type : 'integer', value : 0,
-       description : 'soft-static allocation for the systemd-journal user')
 option('systemd-network-uid', type : 'integer', value : 0,
        description : 'soft-static allocation for the systemd-network user')
 option('systemd-resolve-uid', type : 'integer', value : 0,

diff --git a/sysusers.d/systemd-journal.conf.in b/sysusers.d/systemd-journal.conf.in
index bb1277f2bb9bd80aea49d8265882c2780f45e787..61768b234ea72c75f85beddaea6b44703de9c56d 100644 (file)
--- a/sysusers.d/systemd-journal.conf.in
+++ b/sysusers.d/systemd-journal.conf.in
@@ -5,5 +5,4 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-g  systemd-journal {{SYSTEMD_JOURNAL_GID}} -
-u! systemd-journal {{SYSTEMD_JOURNAL_UID}} "systemd Journal"
+g systemd-journal {{SYSTEMD_JOURNAL_GID}} -

diff --git a/units/systemd-journalctl@.service b/units/systemd-journalctl@.service
index 2a1701efca56837cedcef3695bb0b581c154b949..a816284cecf3b3a408c0dd8a6398edb2660fd53f 100644 (file)
--- a/units/systemd-journalctl@.service
+++ b/units/systemd-journalctl@.service
@@ -17,4 +17,6 @@ RequiresMountsFor=/var/log/journal
 
 [Service]
 ExecStart=journalctl
-User=systemd-journal
+DynamicUser=yes
+User=systemd-journal-access
+SupplementaryGroups=systemd-journal