journalctl access for non-root users

Question

The journald documentation says that adding a user to 'systemd-journal' group or 'adm' group allows the user to access system-wide journal.

I'm running the latest CentOS 7 and I seem to have problem accessing the journal as a non-root user.

Here's my config:

$ id
uid=1000(centos) gid=1000(centos) groups=1000(centos),4(adm),10(wheel),190(systemd-journal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ cat /etc/systemd/journald.conf
[Journal]
Storage=persistent

$ journalctl
-- Logs begin at Sat 2015-08-29 16:35:52 UTC, end at Sat 2015-08-29 17:28:47 UTC. --
Aug 29 16:35:52 hostname ... <log continues>

There are no system logs in journalctl output. Here's my permissions config:

$ ll -a /var/log/journal/f9afeb75a5a382dce8269887a67fbf58/
total 24592
drwxr-xr-x. 2 root root     4096 Aug 29 16:35 .
drwxr-xr-x. 3 root root     4096 Aug 29 17:28 ..
-rw-r-----. 1 root root 16777216 Aug 29 17:27 system.journal
-rw-r-----+ 1 root root  8388608 Aug 29 17:33 user-1000.journal

If I change the ownership group of system.journal to systemd-journal everything works fine. However this does not seem right, since the documentation does not say anything about it.

Is there anything I'm missing or is it actually required to manually change the group of the system.journal file?

Thank you

Answer 1

The solution is to change group ownership and add a sticky bit to the parent folder before the .journal files are created.

chown :systemd-journal /var/log/journal/f9afeb75a5a382dce8269887a67fbf58
chmod g+s /var/log/journal/f9afeb75a5a382dce8269887a67fbf58

Answer 2

Well, I am not running Centos 7, but found this issue. I did these steps, but did not help, at least on Ubuntu 18.04 I got a message that

Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.

So I did sudo usermod -a -G systemd-journal my_user then exit (from ssh) and log back in for the groups change to take effect and after that I can see the journal messages with my normal user.