Many CentOS 7 administrators encounter unexpected behavior when trying to access system logs via journalctl as non-root users, even after following the official documentation about group permissions. The core symptom manifests when users in both systemd-journal and adm groups still can't view system logs despite correct group membership.
Let's examine a typical permission structure that causes this issue:
$ ls -la /var/log/journal/f9afeb75a5a382dce8269887a67fbf58/
total 24592
drwxr-xr-x. 2 root root 4096 Aug 29 16:35 .
drwxr-xr-x. 3 root root 4096 Aug 29 17:28 ..
-rw-r-----. 1 root root 16777216 Aug 29 17:27 system.journal
-rw-r-----+ 1 root root 8388608 Aug 29 17:33 user-1000.journalThe critical observation here is that while the user has proper group membership (systemd-journal and adm), the system.journal file doesn't grant group read access (mode 640 instead of 644 or 640 with proper group ownership).
Option 1: ACL-Based Approach (Preferred)
# Set ACL to allow systemd-journal group access
sudo setfacl -R -m g:systemd-journal:r-x /var/log/journal/
sudo systemctl restart systemd-journaldOption 2: Group Ownership Change
# Change group ownership of journal files
sudo chown -R root:systemd-journal /var/log/journal/
sudo chmod -R g+rX /var/log/journal/
sudo systemctl restart systemd-journaldThe discrepancy occurs because:
- New journal files inherit permissions from the directory (typically 750 for root:root)
- Systemd only checks group membership, not file permissions
- The default umask (0027) prevents group read access
To make this survive reboots, create a systemd tmpfile:
# /etc/tmpfiles.d/journal-perms.conf
d /var/log/journal 2755 root systemd-journal
z /var/log/journal 2750 root systemd-journal
z /var/log/journal/*.journal 0640 root systemd-journalThen apply with:
sudo systemd-tmpfiles --createAfter making changes, verify with:
# Check effective permissions
getfacl /var/log/journal/$(cat /etc/machine-id)/system.journal
# Test user access
sudo -u centos journalctl --no-pager -n5When working with systemd's journal on CentOS 7, I recently encountered an interesting permissions challenge. Despite following the official documentation and adding my user to both the systemd-journal and adm groups, I couldn't view system logs through journalctl as a non-root user.
Here's the configuration snapshot that revealed the issue:
$ id
uid=1000(centos) gid=1000(centos) groups=1000(centos),4(adm),10(wheel),190(systemd-journal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ cat /etc/systemd/journald.conf
[Journal]
Storage=persistent
$ ls -la /var/log/journal/f9afeb75a5a382dce8269887a67fbf58/
total 24592
drwxr-xr-x. 2 root root 4096 Aug 29 16:35 .
drwxr-xr-x. 3 root root 4096 Aug 29 17:28 ..
-rw-r-----. 1 root root 16777216 Aug 29 17:27 system.journal
-rw-r-----+ 1 root root 8388608 Aug 29 17:33 user-1000.journal
The key observation here is the permissions on the system.journal file (-rw-r-----.). While the user is in the systemd-journal group, the file doesn't grant read access to the group. This differs from the user-specific journal file (user-1000.journal) which uses POSIX ACLs (indicated by the + sign).
There are actually two proper ways to resolve this:
Option 1: Configure Journald for Proper Group Access
Add the following to /etc/systemd/journald.conf:
[Journal]
Storage=persistent
SystemMaxUse=100M
SyncIntervalSec=5m
SystemGroup=systemd-journal
Then restart journald:
sudo systemctl restart systemd-journaldOption 2: Manual ACL Configuration (Temporary Fix)
For immediate access without restarting journald:
sudo setfacl -R -m g:systemd-journal:r /var/log/journal/
sudo systemd-tmpfiles --create --prefix /var/log/journalOn CentOS/RHEL systems, SELinux might block access even with proper permissions. Check and adjust if needed:
$ sudo ausearch -m avc -ts recent | grep journal
$ sudo setsebool -P daemon_read_user_files 1After applying either solution, verify with:
$ journalctl --no-pager -b | head -n 20
$ getfacl /var/log/journal/f9afeb75a5a382dce8269887a67fbf58/system.journal