On 27.08.2023 20:35, Cecil Westerhof wrote:
Op zo 27 aug 2023 om 18:30 schreef Leon Fauster <leonfauster@xxxxxxxxxxxxxx
:
Am 26.08.23 um 18:41 schrieb Cecil Westerhof:
Replying on google does not work as I am used to. It sends to the sender
instead of the group. 😱
Op za 26 aug 2023 om 18:36 schreef Cecil Westerhof
<cldwesterhof@xxxxxxxxx <mailto:cldwesterhof@xxxxxxxxx>>:
Op za 26 aug 2023 om 14:46 schreef Michael Biebl <mbiebl@xxxxxxxxx
<mailto:mbiebl@xxxxxxxxx>>:
Am Sa., 26. Aug. 2023 um 09:44 Uhr schrieb Cecil Westerhof
<cldwesterhof@xxxxxxxxx <mailto:cldwesterhof@xxxxxxxxx>>:
>
> I am at last implementing systemd timers. The service I
created can have its status queried by a normal user. I thought
I must have made a mistake. But when I do:
> systemctl status cron
>
> I get:
> ● cron.service - Regular background program processing
daemon
> Loaded: loaded (/lib/systemd/system/cron.service;
enabled; preset: enabled)
> Active: active (running) since Sat 2023-08-19
18:12:04 CEST; 6 days ago
> Docs: man:cron(8)
> Main PID: 790 (cron)
> Tasks: 1 (limit: 17837)
> Memory: 91.0M
> CPU: 14min 3.110s
> CGroup: /system.slice/cron.service
> └─790 /usr/sbin/cron -f
>
> Warning: some journal files were not opened due to
insufficient permissions.
>
> Is this the expected behaviour?
> If not: what could be wrong with my system?
>
> This is on Debian 11.
Reading system logs is a privileged operation.
You can grant this privilege to individual users by adding them
to the
systemd-journal (or adm) group.
Adding users to the adm will grant them additional privileges,
so be careful.
The user is in the lpadmin group, but not in systemd-journal, or adm
and still can ask the status.
Another reply indicates that this is normal.
Well, you can look at the process list anytime as normal user. So, what
are you trying to accomplishing. Whats the goal? Hiding the process from
the users?
I was surprised that I could see it. And as I understand it, I am certainly
not the only one. One reply on my question was even that it is a privileged
operation and should not be possible without a group added to the user
which was not added to the user.
It was referring to the content of the system journal, not to the
permissions to run "systemctl status".
I agree that you can find out everything with ps, but that is a lot more
work.
I was just surprised that it was possible —and again I am far from the only
one—, I just wanted to check it out and now I know it is expected behaviour.
Better to ask a 'dump' question than staying ignorant I think.
