python-systemd icon indicating copy to clipboard operation
python-systemd copied to clipboard

Published 20 hours ago verified publisher icon systemd

RFE: provide hint if permissions do no allow any journal files to be opened

Open dementedhedgehog opened this issue 6 years ago • 5 comments

Reading from journald without permission to do so should throw an exception but doesn't?

build:~$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

build:~$ 
build:~$ groups 
developers
build:~$ 
build:~$ journalctl --since "1 hour ago"
Hint: You are currently not seeing messages from other users and the system.
      Users in the 'systemd-journal' group can see all messages. Pass -q to
      turn off this notice.
No journal files were opened due to insufficient permissions.
build:~$ 
build:~$ python3.6
Python 3.6.3 (default, Jan  4 2018, 16:40:53) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
>>> 
>>> from systemd import journal
>>> j = journal.Reader()
>>> j.this_boot()
>>> j.log_level(journal.LOG_DEBUG)
>>> j.get_next()
{}
>>> for entry in j:
...     print(entry)
... 
>>>

dementedhedgehog avatar Jun 13 '18 05:06 dementedhedgehog

On Ubuntu 18.04, journalctl does not itself exit with an error. So I wouldn't expect this python library to do it either.

$ journalctl -u asd
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.
-- Logs begin at Wed 2018-10-17 13:14:15 CEST, end at Thu 2018-10-18 01:41:30 CEST. --
-- No entries -

stigok avatar Nov 04 '18 19:11 stigok

Hi stigok, I'm not sure that the logic follows. Python does not always, or perhaps even usually, behaves the same way as c or old-school unix programs (scripts) do. How can you differentiate within code whether you have permissions to view journal entries or there are none?

cheers blaize

dementedhedgehog avatar Nov 05 '18 10:11 dementedhedgehog

That is a good question. There is not a whole lot written about handling permissions, but the little I found in the docs;

Note that in order to access the system journal, a non-root user must have the necessary privileges, see journalctl(1) for details. Unprivileged users can access only their own journal.

And man 1 journalctl says something more

All users are granted access to their private per-user journals. However, by default, only root and users who are members of a few special groups are granted access to the system journal and the journals of other users. Members of the groups "systemd-journal", "adm", and "wheel" can read all journal files. Note that the two latter groups traditionally have additional privileges specified by the distribution. Members of the "wheel" group can often perform administrative tasks.

Furthermore, the --system, --user argument help text, it is stated that

If neither [--system, --user] is specified, show all messages that the user can see.

So to me, it seems like it's normal to just dump whatever it can and don't really care about permissions. A way to check if you have system level permissions might be to see if a single line exists in a protected log. An example using journalctl could be

$ sudo -u ftp journalctl --boot 0 --lines=1
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
No journal files were opened due to insufficient permissions.

Does this make sense?

stigok avatar Nov 06 '18 10:11 stigok

journalctl --system without root permissions gives exit code 1 here (systemd 237)

sebix avatar Nov 06 '18 21:11 sebix

journalctl uses private API to figure out what files were opened and what errors were encountered during attempts to open files. It then uses some detailed knowledge about systemd ACL setup to deliver a precise message. To replicate this in the python wrapper, additional information would have to be exported by the sd-journal code. I wouldn't be keen on reimplementing those heuristics, so ideally libsystemd would generate the same error message for us that journalctl and coredumpctl use.

keszybz avatar Jun 16 '19 16:06 keszybz