From baec8a22f9c7cdb696dc0e833273c5e6c007071a Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Mar 2023 16:01:00 -0500 Subject: [PATCH] Fix permissions on default state sub-directories when Agent runs as container (#2330) * Set temp dir permissions to 0770 * Set logs dir permissions to 0775 * Adding CHANGELOG entry * Fix kind of change in changelog entry (cherry picked from commit e1b4c211cb59ca62308ee7b67e5fd351a037bd52) --- ...599609-fix-container-state-dirs-perms.yaml | 32 +++++++++++++++++++ .../pkg/agent/application/paths/common.go | 3 +- internal/pkg/agent/cmd/container.go | 8 +++-- 3 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 changelog/fragments/1677599609-fix-container-state-dirs-perms.yaml diff --git a/changelog/fragments/1677599609-fix-container-state-dirs-perms.yaml b/changelog/fragments/1677599609-fix-container-state-dirs-perms.yaml new file mode 100644 index 00000000000..2cc4f5e6f57 --- /dev/null +++ b/changelog/fragments/1677599609-fix-container-state-dirs-perms.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: bug-fix + +# Change summary; a 80ish characters long description of the change. +summary: Fixes the permissions of the `state/data/tmp` and `state/data/logs` folders when they're setup as part of running `elastic-agent container`. + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; a word indicating the component this changeset affects. +component: agent + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/elastic-agent/pull/2330 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +issue: https://github.com/elastic/elastic-agent/issues/2315 diff --git a/internal/pkg/agent/application/paths/common.go b/internal/pkg/agent/application/paths/common.go index 41284026091..ac179f23abb 100644 --- a/internal/pkg/agent/application/paths/common.go +++ b/internal/pkg/agent/application/paths/common.go @@ -22,6 +22,7 @@ const ( // AgentLockFileName is the name of the overall Elastic Agent file lock. AgentLockFileName = "agent.lock" tempSubdir = "tmp" + tempSubdirPerms = 0770 darwin = "darwin" ) @@ -85,7 +86,7 @@ func TempDir() string { tmpDir := filepath.Join(Data(), tempSubdir) tmpCreator.Do(func() { // create tempdir as it probably don't exists - _ = os.MkdirAll(tmpDir, 0750) + _ = os.MkdirAll(tmpDir, tempSubdirPerms) }) return tmpDir } diff --git a/internal/pkg/agent/cmd/container.go b/internal/pkg/agent/cmd/container.go index 2e14bfec3e7..36db190e377 100644 --- a/internal/pkg/agent/cmd/container.go +++ b/internal/pkg/agent/cmd/container.go @@ -43,6 +43,8 @@ const ( defaultRequestRetrySleep = "1s" // sleep 1 sec between retries for HTTP requests defaultMaxRequestRetries = "30" // maximum number of retries for HTTP requests defaultStateDirectory = "/usr/share/elastic-agent/state" // directory that will hold the state data + + logsPathPerms = 0775 ) var ( @@ -150,7 +152,7 @@ func logContainerCmd(streams *cli.IOStreams) error { logsPath := envWithDefault("", "LOGS_PATH") if logsPath != "" { // log this entire command to a file as well as to the passed streams - if err := os.MkdirAll(logsPath, 0755); err != nil { + if err := os.MkdirAll(logsPath, logsPathPerms); err != nil { return fmt.Errorf("preparing LOGS_PATH(%s) failed: %w", logsPath, err) } logPath := filepath.Join(logsPath, "elastic-agent-startup.log") @@ -795,14 +797,14 @@ func setPaths(statePath, configPath, logsPath string, writePaths bool) error { if logsPath != "" { paths.SetLogs(logsPath) // ensure that the logs directory exists - if err := os.MkdirAll(filepath.Join(logsPath), 0755); err != nil { + if err := os.MkdirAll(filepath.Join(logsPath), logsPathPerms); err != nil { return fmt.Errorf("preparing LOGS_PATH(%s) failed: %w", logsPath, err) } } // ensure that the internal logger directory exists loggerPath := filepath.Join(paths.Home(), logger.DefaultLogDirectory) - if err := os.MkdirAll(loggerPath, 0755); err != nil { + if err := os.MkdirAll(loggerPath, logsPathPerms); err != nil { return fmt.Errorf("preparing internal log path(%s) failed: %w", loggerPath, err) }