Exempt root owned config files from ownership checker (#3689)

* Exempt root owned config files from ownership checker If a config file is owned by root, but the process is running as a non-privileged user the Beat should run. This change exempts root from the ownership test. This makes it possible to drop privileges before executing the beat. * Update changelog entry for the file ownership and permission checker.
elastic · Feb 28, 2017 · c10d47a · c10d47a
1 parent ee99b08
commit c10d47a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -15,7 +15,8 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 *Affecting all Beats*
 
 - Change beat generator. Use `$GOPATH/src/github.com/elastic/beats/script/generate.py` to generate a beat. {pull}3452[3452]
-- Configuration files must not be writable by other users. {pull}3544[3544]
+- Configuration files must be owned by the user running the beat or by root, and
+  they must not be writable by others. {pull}3544[3544] {pull}3689[3689]
 
 *Filebeat*
 - Always use absolute path for event and registry. This can lead to issues when relative paths were used before. {pull}3328[3328]

diff --git a/libbeat/common/config.go b/libbeat/common/config.go
@@ -6,6 +6,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
 	"runtime"
 	"strings"
 
@@ -411,9 +412,9 @@ func filterDebugObject(c interface{}) {
 	}
 }
 
-// ownerHasExclusiveWritePerms asserts that the current user is the
+// ownerHasExclusiveWritePerms asserts that the current user or root is the
 // owner of the config file and that the config file is (at most) writable by
-// the owner (e.g. group and other cannot have write access).
+// the owner or root (e.g. group and other cannot have write access).
 func ownerHasExclusiveWritePerms(name string) error {
 	if runtime.GOOS == "windows" {
 		return nil
@@ -428,16 +429,21 @@ func ownerHasExclusiveWritePerms(name string) error {
 	fileUID, _ := info.UID()
 	perm := info.Mode().Perm()
 
-	if euid != fileUID {
+	if fileUID != 0 && euid != fileUID {
 		return fmt.Errorf(`config file ("%v") must be owned by the beat user `+
-			`(uid=%v)`, name, euid)
+			`(uid=%v) or root`, name, euid)
 	}
 
 	// Test if group or other have write permissions.
 	if perm&0022 > 0 {
+		nameAbs, err := filepath.Abs(name)
+		if err != nil {
+			nameAbs = name
+		}
 		return fmt.Errorf(`config file ("%v") can only be writable by the `+
-			`owner but the permissions are "%v"`,
-			name, perm)
+			`owner but the permissions are "%v" (to fix the permissions use: `+
+			`'chmod go-w %v')`,
+			name, perm, nameAbs)
 	}
 
 	return nil