python-systemd
python-systemd copied to clipboard
RFE: provide hint if permissions do no allow any journal files to be opened
Reading from journald without permission to do so should throw an exception but doesn't?
build:~$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
build:~$
build:~$ groups
developers
build:~$
build:~$ journalctl --since "1 hour ago"
Hint: You are currently not seeing messages from other users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
build:~$
build:~$ python3.6
Python 3.6.3 (default, Jan 4 2018, 16:40:53)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>>
>>> from systemd import journal
>>> j = journal.Reader()
>>> j.this_boot()
>>> j.log_level(journal.LOG_DEBUG)
>>> j.get_next()
{}
>>> for entry in j:
... print(entry)
...
>>>
On Ubuntu 18.04, journalctl
does not itself exit with an error. So I wouldn't expect this python library to do it either.
$ journalctl -u asd
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
-- Logs begin at Wed 2018-10-17 13:14:15 CEST, end at Thu 2018-10-18 01:41:30 CEST. --
-- No entries -
Hi stigok, I'm not sure that the logic follows. Python does not always, or perhaps even usually, behaves the same way as c or old-school unix programs (scripts) do. How can you differentiate within code whether you have permissions to view journal entries or there are none?
cheers blaize
That is a good question. There is not a whole lot written about handling permissions, but the little I found in the docs;
Note that in order to access the system journal, a non-root user must have the necessary privileges, see journalctl(1) for details. Unprivileged users can access only their own journal.
And man 1 journalctl
says something more
All users are granted access to their private per-user journals. However, by default, only root and users who are members of a few special groups are granted access to the system journal and the journals of other users. Members of the groups "systemd-journal", "adm", and "wheel" can read all journal files. Note that the two latter groups traditionally have additional privileges specified by the distribution. Members of the "wheel" group can often perform administrative tasks.
Furthermore, the --system, --user
argument help text, it is stated that
If neither [--system, --user] is specified, show all messages that the user can see.
So to me, it seems like it's normal to just dump whatever it can and don't really care about permissions.
A way to check if you have system level permissions might be to see if a single line exists in a protected log. An example using journalctl
could be
$ sudo -u ftp journalctl --boot 0 --lines=1
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
No journal files were opened due to insufficient permissions.
Does this make sense?
journalctl --system
without root permissions gives exit code 1 here (systemd 237)
journalctl
uses private API to figure out what files were opened and what errors were encountered during attempts to open files. It then uses some detailed knowledge about systemd ACL setup to deliver a precise message. To replicate this in the python wrapper, additional information would have to be exported by the sd-journal code. I wouldn't be keen on reimplementing those heuristics, so ideally libsystemd would generate the same error message for us that journalctl and coredumpctl use.