Op zo 27 aug 2023 om 18:30 schreef Leon Fauster <leonfauster@xxxxxxxxxxxxxx>:
Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
> Replying on google does not work as I am used to. It sends to the sender
> instead of the group. 😱
>
> Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
> <cldwesterhof@xxxxxxxxx <mailto:cldwesterhof@xxxxxxxxx>>:
>
> Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl@xxxxxxxxx
> <mailto:mbiebl@xxxxxxxxx>>:
>
> Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
> <cldwesterhof@xxxxxxxxx <mailto:cldwesterhof@xxxxxxxxx>>:
> >
> > I am at last implementing systemd timers. The service I
> created can have its status queried by a normal user. I thought
> I must have made a mistake. But when I do:
> > systemctl status cron
> >
> > I get:
> > ● cron.service - Regular background program processing daemon
> > Loaded: loaded (/lib/systemd/system/cron.service;
> enabled; preset: enabled)
> > Active: active (running) since Sat 2023-08-19
> 18:12:04 CEST; 6 days ago
> > Docs: man:cron(8)
> > Main PID: 790 (cron)
> > Tasks: 1 (limit: 17837)
> > Memory: 91.0M
> > CPU: 14min 3.110s
> > CGroup: /system.slice/cron.service
> > └─790 /usr/sbin/cron -f
> >
> > Warning: some journal files were not opened due to
> insufficient permissions.
> >
> > Is this the expected behaviour?
> > If not: what could be wrong with my system?
> >
> > This is on Debian 11.
>
> Reading system logs is a privileged operation.
>
> You can grant this privilege to individual users by adding them
> to the
> systemd-journal (or adm) group.
>
> Adding users to the adm will grant them additional privileges,
> so be careful.
>
>
> The user is in the lpadmin group, but not in systemd-journal, or adm
> and still can ask the status.
> Another reply indicates that this is normal.
>
Well, you can look at the process list anytime as normal user. So, what
are you trying to accomplishing. Whats the goal? Hiding the process from
the users?
I was surprised that I could see it. And as I understand it, I am certainly not the only one. One reply on my question was even that it is a privileged operation and should not be possible without a group added to the user which was not added to the user.
I agree that you can find out everything with ps, but that is a lot more work.
I was just surprised that it was possible —and again I am far from the only one—, I just wanted to check it out and now I know it is expected behaviour.
Better to ask a 'dump' question than staying ignorant I think.
--
Cecil Westerhof
