(In reply to Andrei Borzenkov from comment #0)
> On Leap archived journal files in /var/log/journal/$uuid are all
> world-readable - both system and user. The current journal (i.e.
> system.journal for system instance or user-$UID.journal for user) are
> correctly restricted to root/systemd-journal or owning user).
> 
> This allows any user to read anyone's archived journals by using explicit
> 
> journalctl --file=/path/to/archived/file
> 
> This problem does not exist on Tumbleweed where access to archived files are
> restricted in the same way as to current journal.
> 
> When user attempts to read journal without specifying filename, journalctl
> tries to open current journal first and errors out, which hides this issue.
>
> On 13.2 it is worse - even current log in /run/log/journal is world-readable.

I think I mistook archives and current log when I reported that. This is from a 13.2 system:

saturn:/var/log # l /run/log/journal/f52b941309a2472abeb86b944ca5b70d/
total 13184
drwxr-sr-x 2 root systemd-journal      80 Mar 25 12:25 ./
drwxr-sr-x 3 root systemd-journal      60 Mar 24 14:38 ../
-rwxr-xr-x 1 root systemd-journal 6750208 Mar 25 12:25 system@91d6be1d7f864d6a9489c6d1dbacb55f-0000000000000001-00052ecb8f50f9f6.journal*
-rw-r----- 1 root systemd-journal 6750208 Mar 25 13:05 system.journal

(In reply to Per Jessen from comment #1)
> -rw-r----- 1 root systemd-journal 6750208 Mar 25 13:05 system.journal

On my 13.2 VM it is world readable in /run/log/journal/$uuid.

(In reply to Andrei Borzenkov from comment #0)
> On Leap archived journal files in /var/log/journal/$uuid are all
> world-readable - both system and user. The current journal (i.e.
> system.journal for system instance or user-$UID.journal for user) are
> correctly restricted to root/systemd-journal or owning user).
> 
> This allows any user to read anyone's archived journals by using explicit
> 

Ouch !

That's probaby due to:

# grep journal /usr/lib/tmpfiles.d/systemd.conf 
m /var/log/journal 2755 root systemd-journal - -
Z /var/log/journal/%m 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m 2755 root systemd-journal - -

And unfortunately this bug is due to a patch that has been backported quite some time ago now:

commit a606871da508995f5ede113a8fc6538afd98966c
Author: Greg KH <gregkh@linuxfoundation.org>
Date:   Tue Apr 15 14:12:01 2014 -0700

    tmpfiles: fix permissions on new journal files
    
    When starting up journald on a new system, set the proper permissions on
    the system.journal files, not only on the journal directory.

I'll fix it.

Thanks for spotting.

(In reply to Andrei Borzenkov from comment #0)
> On Leap archived journal files in /var/log/journal/$uuid are all
> world-readable - both system and user. The current journal (i.e.
> system.journal for system instance or user-$UID.journal for user) are
> correctly restricted to root/systemd-journal or owning user).

The fact that system.journal get the right permissions is due to a race between systemd-tmpfiles-setup.service and systemd-journal-flush.service :-/

Normally systemd-tmpfiles-setup.service should run after systemd-journal-flush.service. Therefore flushing the journal should fix the permissions but tmpfiles-setup.service screws them afterwards.

However since systemd-journal-flush.service doesn't make sure that journald actually finishes to flush the journal (in v210) before exiting it happens that systemd-tmpfiles-setup.service runs before.

That's probably the main reason why journalctl gained the --flush option even though it's not obvious after reading commit message which introduced it.

--flush sends the SIGUSR1 signal to journald but also *waits* for the operation to complete.

Here running in debug mode makes system.journal having the wrong permissions.

@Andrei, could you give this repo a test ?

http://download.opensuse.org/repositories/home:/fbui:/branches:/openSUSE:/Leap:/42.1:/Update:/boo-972612/standard/

Thanks.

(In reply to Franck Bui from comment #5)
> @Andrei, could you give this repo a test ?
> 
> http://download.opensuse.org/repositories/home:/fbui:/branches:/openSUSE:/
> Leap:/42.1:/Update:/boo-972612/standard/
> 

Seems to work here for persistent /var/log/journal. I do not have run-time journal files on this VM, do you have the same for 13.2 (I think I have seen build failure there)?

(In reply to Andrei Borzenkov from comment #6)
> (In reply to Franck Bui from comment #5)
> > @Andrei, could you give this repo a test ?
> > 
> > http://download.opensuse.org/repositories/home:/fbui:/branches:/openSUSE:/
> > Leap:/42.1:/Update:/boo-972612/standard/
> > 
> 
> Seems to work here for persistent /var/log/journal. I do not have run-time
> journal files on this VM, do you have the same for 13.2 (I think I have seen
> build failure there)?

Testing package should be available now for 13.2 (same repo).

Here's the result for volatile journal storage:

# ls -ld /run/log/{,journal,journal/*,journal/*/*}
drwxr-xr-x 3 root root                 60 Mar 31 09:58 /run/log/
drwxr-sr-x 3 root systemd-journal      60 Mar 31 09:58 /run/log/journal
drwxr-s--- 2 root systemd-journal      80 Mar 31 09:58 /run/log/journal/f68eb0b6ac474680b72dc19f3b6e4622
-rwxr-x--- 1 root systemd-journal 6529024 Mar 31 09:58 /run/log/journal/f68eb0b6ac474680b72dc19f3b6e4622/system@00052f53a1bb1bb7-e5df1b1c44013b91.journal~
-rwxr-x--- 1 root systemd-journal 6529024 Mar 31 10:00 /run/log/journal/f68eb0b6ac474680b72dc19f3b6e4622/system.journal

and as a regular user:

# ls /run/log/journal/f68eb0b6ac474680b72dc19f3b6e4622
ls: cannot open directory /run/log/journal/f68eb0b6ac474680b72dc19f3b6e4622: Permission denied

I've fixed this bug slightly differently now.

Please give it a test if possible when it will finish to build.

Thanks.

(please keep the subject)

(In reply to Franck Bui from comment #8)
> I've fixed this bug slightly differently now.
> 
> Please give it a test if possible when it will finish to build.
> 

Looks OK on both Leap and 13.2. Do you need separate bug report for 13.2?

(In reply to Andrei Borzenkov from comment #10)
> (In reply to Franck Bui from comment #8)
> > I've fixed this bug slightly differently now.
> > 
> > Please give it a test if possible when it will finish to build.
> > 
> 
> Looks OK on both Leap and 13.2. Do you need separate bug report for 13.2?

I don't think we need a separate one for 13.2 since 13.2 is affected by the very same bug.

Thanks.

as I  want to request a CVE, what upstream versiuons were affected?

perhaps the commit that fixes it too? (I see the commit that introduces it above?)

(In reply to Marcus Meissner from comment #13)
> as I  want to request a CVE, what upstream versiuons were affected?
> 

Affected by commit a606871da508995f5ede113a8fc6538afd98966c which was introduced by v213.

This commit was unfortunately backported in the SLE12 and openSUSE-13.[12] distros some time ago now.

> perhaps the commit that fixes it too? (I see the commit that introduces it
> above?)

I dont this has been fixed at all for those who run systemd with the above commit applies.

commit 176f2acf8dee45fee832fd2ab07243f63783a238 (v214) stops systemd from settting the world readable bit but leaves the already created journal files with this bit sets.

commit afae249efa4774c6676738ac5de6aeb4daf4889f (v229) makes sure that the world readable bit is removed but only for the current persistent journal (/var/log/journal/xxxx/system.journal. No changes for the archived journals.

For volatile journals, this was fixed by 176f2acf8dee45fee832fd2ab07243f63783a238 (v214).

i requested a CVE on oss-sec

(In reply to Marcus Meissner from comment #15)

> Fixed for volatile journals was done by this commit in v214:
> https://github.com/systemd/systemd/commit/176f2acf8dee45fee832fd2ab07243f63783a238

Use CVE-2014-9770.

> Fixed for the current persistent journal by this commit in v229:
> https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f

Use CVE-2015-8842.

This is an autogenerated message for OBS integration:
This bug (972612) was mentioned in
https://build.opensuse.org/request/show/387363 13.1 / systemd
https://build.opensuse.org/request/show/387366 13.2 / systemd

This is an autogenerated message for OBS integration:
This bug (972612) was mentioned in
https://build.opensuse.org/request/show/387417 13.2 / systemd
https://build.opensuse.org/request/show/387420 13.1 / systemd

openSUSE-SU-2016:1101-1: An update that solves two vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 959886,960158,963230,964355,965897,967122,970423,970860,972612,972727
CVE References: CVE-2014-9770,CVE-2015-8842
Sources used:
openSUSE 13.2 (src):    systemd-210.1459453449.5237776-25.37.1, systemd-mini-210.1459453449.5237776-25.37.1

SUSE-SU-2016:1346-1: An update that solves two vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 959886,960158,963230,965897,967122,970423,970860,972612,972727,973848,976766,978275
CVE References: CVE-2014-9770,CVE-2015-8842
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    systemd-210-104.1
SUSE Linux Enterprise Server 12-SP1 (src):    systemd-210-104.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    systemd-210-104.1

SUSE-SU-2016:1351-1: An update that solves two vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 959886,960158,963230,965897,967122,970423,970860,972612,972727,973848,976766,978275
CVE References: CVE-2014-9770,CVE-2015-8842
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    systemd-210-70.48.1
SUSE Linux Enterprise Server 12 (src):    systemd-210-70.48.1
SUSE Linux Enterprise Desktop 12 (src):    systemd-210-70.48.1

openSUSE-SU-2016:1414-1: An update that solves two vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 959886,960158,963230,965897,967122,970423,970860,972612,972727,973848,976766,978275
CVE References: CVE-2014-9770,CVE-2015-8842
Sources used:
openSUSE Leap 42.1 (src):    systemd-210-92.1, systemd-mini-210-92.1

closing since 42.1 is finally out and the new update contains the fix.