From: Franck Bui <fbui@suse.com>
Date: Tue, 3 May 2016 23:29:11 +0000 (+0200)
Subject: tmpfiles: don't set the x bit for volatile system journal when ACL support is enabled... 
X-Git-Tag: v230~86
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d428dd6ac9a56e7b3421fb8ef3aac9937a4a2e62;p=thirdparty%2Fsystemd.git

tmpfiles: don't set the x bit for volatile system journal when ACL support is enabled (#3079)

When ACL support is enabled, systemd-tmpfiles-setup service sets the following
ACL entries to the volatile system journal:

   $ getfacl /run/log/journal/*/system.journal
   getfacl: Removing leading '/' from absolute path names
   # file: run/log/journal/xxx/system.journal
   # owner: root
   # group: systemd-journal
   user::rwx
   group::r--
   group:wheel:r-x
   group:adm:r-x
   mask::r-x
   other::---

This patch makes sure that the exec bit is not set anymore for the volatile
system journals.
---

diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index 150dab1e5ba..2cd58e9121e 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -30,14 +30,17 @@ m4_ifdef(`HAVE_ACL',`m4_dnl
 m4_ifdef(`ENABLE_ADM_GROUP',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
 a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
-A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--,group:wheel:r--
 '',``
 a+ /run/log/journal/%m - - - - d:group:adm:r-x
-A+ /run/log/journal/%m - - - - group:adm:r-x
+a+ /run/log/journal/%m - - - - group:adm:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
 '')',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
 a+ /run/log/journal/%m - - - - d:group:wheel:r-x
-A+ /run/log/journal/%m - - - - group:wheel:r-x
+a+ /run/log/journal/%m - - - - group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:wheel:r--
 '')')')m4_dnl
 
 z /var/log/journal 2755 root systemd-journal - -