journalctl: warn if the user is not in the adm group

src/journal/journalctl.c

@@ -45,6 +45,7 @@ static bool arg_no_pager = false;
 static int arg_lines = -1;
 static bool arg_no_tail = false;
 static bool arg_new_id128 = false;
+static bool arg_quiet = false;
 
 static int help(void) {
 
@@ -59,6 +60,7 @@ static int help(void) {
                "     --no-tail        Show all lines, even in follow mode\n"
                "  -o --output=STRING  Change journal output mode (short, short-monotonic,\n"
                "                      verbose, export, json, cat)\n"
+               "  -q --quiet          Don't show privilege warning\n"
                "     --new-id128      Generate a new 128 Bit id\n",
                program_invocation_short_name);
 
@@ -84,6 +86,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "lines",     required_argument, NULL, 'n'           },
                 { "no-tail",   no_argument,       NULL, ARG_NO_TAIL   },
                 { "new-id128", no_argument,       NULL, ARG_NEW_ID128 },
+                { "quiet",     no_argument,       NULL, 'q'           },
                 { NULL,        0,                 NULL, 0             }
         };
 
@@ -92,7 +95,7 @@ static int parse_argv(int argc, char *argv[]) {
         assert(argc >= 0);
         assert(argv);
 
-        while ((c = getopt_long(argc, argv, "hfo:an:", options, NULL)) >= 0) {
+        while ((c = getopt_long(argc, argv, "hfo:an:q", options, NULL)) >= 0) {
 
                 switch (c) {
 
@@ -143,6 +146,9 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_new_id128 = true;
                         break;
 
+                case 'q':
+                        arg_quiet = true;
+
                 case '?':
                         return -EINVAL;
 
@@ -204,6 +210,9 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
+        if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
+                log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.");
+
         r = sd_journal_open(&j, 0);
         if (r < 0) {
                 log_error("Failed to open journal: %s", strerror(-r));

src/util.c

@@ -5608,6 +5608,36 @@ int get_group_creds(const char **groupname, gid_t *gid) {
         return 0;
 }
 
+int in_group(const char *name) {
+        gid_t gid, *gids;
+        int ngroups_max, r, i;
+
+        r = get_group_creds(&name, &gid);
+        if (r < 0)
+                return r;
+
+        if (getgid() == gid)
+                return 1;
+
+        if (getegid() == gid)
+                return 1;
+
+        ngroups_max = sysconf(_SC_NGROUPS_MAX);
+        assert(ngroups_max > 0);
+
+        gids = alloca(sizeof(gid_t) * ngroups_max);
+
+        r = getgroups(ngroups_max, gids);
+        if (r < 0)
+                return -errno;
+
+        for (i = 0; i < r; i++)
+                if (gids[i] == gid)
+                        return 1;
+
+        return 0;
+}
+
 int glob_exists(const char *path) {
         glob_t g;
         int r, k;

src/util.h

@@ -466,6 +466,8 @@ int socket_from_display(const char *display, char **path);
 int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home);
 int get_group_creds(const char **groupname, gid_t *gid);
 
+int in_group(const char *name);
+
 int glob_exists(const char *path);
 
 int dirent_ensure_type(DIR *d, struct dirent *de);