From: lewo <lewo@abesis.fr>
Date: Tue, 7 Feb 2017 23:56:55 +0000 (+0100)
Subject: tmpfiles.d: set primary group rights to r-w (#5265)
X-Git-Tag: v233~150
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=15fcdc98cf4db7acdf5cd8df7614f3d3798ae81e;p=thirdparty%2Fsystemd.git

tmpfiles.d: set primary group rights to r-w (#5265)

If the /var/log/journal directory is created with rigths 700, the application
of an ACL rules without any primary group right sets it to 0. A chmod 755 on
this file will then only set the ACL mask and let the ACL primary group right
to 0. The directory is then unreadable for the primary group.

This patch explicitly sets the primary group to avoid this problem.

Fixes #5264.
---

diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index 2cd58e9121e..76e3829ab21 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -49,21 +49,21 @@ z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
 m4_ifdef(`HAVE_ACL',`m4_dnl
 m4_ifdef(`ENABLE_ADM_GROUP',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
-a+ /var/log/journal    - - - - d:group:adm:r-x,d:group:wheel:r-x
-a+ /var/log/journal    - - - - group:adm:r-x,group:wheel:r-x
+a+ /var/log/journal    - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x
+a+ /var/log/journal    - - - - group::r-x,group:adm:r-x,group:wheel:r-x
 a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
 a+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
 a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
 '', ``
-a+ /var/log/journal    - - - - d:group:adm:r-x
-a+ /var/log/journal    - - - - group:adm:r-x
+a+ /var/log/journal    - - - - d:group::r-x,d:group:adm:r-x
+a+ /var/log/journal    - - - - group::r-x,group:adm:r-x
 a+ /var/log/journal/%m - - - - d:group:adm:r-x
 a+ /var/log/journal/%m - - - - group:adm:r-x
 a+ /var/log/journal/%m/system.journal - - - - group:adm:r--
 '')',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
-a+ /var/log/journal    - - - - d:group:wheel:r-x
-a+ /var/log/journal    - - - - group:wheel:r-x
+a+ /var/log/journal    - - - - d:group::r-x,d:group:wheel:r-x
+a+ /var/log/journal    - - - - group::r-x,group:wheel:r-x
 a+ /var/log/journal/%m - - - - d:group:wheel:r-x
 a+ /var/log/journal/%m - - - - group:wheel:r-x
 a+ /var/log/journal/%m/system.journal - - - - group:wheel:r--