Configuration files must not be writeable by other users #3544
Conversation
This PR adds enforcement of ownership and file permissions on configuration files. Any configuration file must be owned by the same user that the Beat is running as and the file must not be writable by anyone other than the owner. This strict permission checking is limited to platforms with POSIX file permissions. The DACLs used by Windows are not checked at this time. The check can be disabled on the CLI with `-strict.perms=false` or by setting env var `BEAT_STRICT_PERMS=false`.
|
jenkins, test it |
| // IsStrictPerms returns true if strict permission checking on config files is | ||
| // enabled. | ||
| func IsStrictPerms() bool { | ||
| if !*flagStrictPerms || os.Getenv("BEAT_STRICT_PERMS") == "false" { |
There was a problem hiding this comment.
We should probably document that there is also an environment variable available for this setting.
There was a problem hiding this comment.
Yeah, we will need to update the documentation to explain the ownership and permission requirements. This info can go in there.
| } | ||
|
|
||
| euid := os.Geteuid() | ||
| fileUID, _ := info.UID() |
There was a problem hiding this comment.
Is ignoring the error here ok? I'm mainly interested in the behaviour on windows. If I understand correctly, fileUID will be -1 in that case, right? Is euid also -1 on Windows?
There was a problem hiding this comment.
It should never get this far because of the first check to see if this is running on Windows.
On Windows FileInfo.UID() will always return an error. And syscall.Geteuid() always returns -1.
|
Guys, do you have plans to make this option configurable via configuration file? |
|
@SlavaValAl No. What are you doing that you need this? |
|
@andrewkroh Hi, I'm working on application tool what generates prospectors configurations. I'm using this #3362 feature to get it reloaded automatically. But, my application and filebeat are acting under different users. So, I'm using feature from current pull request, and, I'm prefer to configure this option in filebeat.yml instead of environment variable or CLI option. It's not so critical, but, it would be nice to have it. |
|
Well we can't put the option to disable the check in the config file because that would be self-defeating. A bad actor could drop a config file in disabling the check and do bad things. I think for your case I would disable the check and lock down the config permissions. The check is there to prevent people from accidentally making themselves vulnerable. I think I would make the |
This PR adds enforcement of ownership and file permissions on configuration files. Any configuration file must be owned by the same user that the Beat is running as and the file must not be writable by anyone other than the owner.
This strict permission checking is limited to platforms with POSIX file permissions. The DACLs used by Windows are not checked at this time.
The check can be disabled on the CLI with
-strict.perms=false.