Fix/8544 mac linux unprivileged reenroll

[kaanyalti]

• Bug

What does this PR do?

Updates the enroll command so that the file permissions are fixed when a privileged user executes enroll. Implemented only for mac/linux. Permission fix is executed every time root executes enroll and enroll is not triggered by install. Windows implementation will be in a follow up pr. Split the PRs as windows implementation may end up being more involved.

Why is it important?

Currently a root user needs to run sudo -u elastic-agent-user elastic-agent enroll ... in order to re-enroll an unprivileged agent.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

None

How to test this PR locally

• Build the agent
• Install and enroll with --unprivileged flag
• Execute enroll as root
• Verify that agent is still healthy

Related issues

• Relates Enable Safe Re-enrollment by Root/Admin for Unprivileged Elastic Agent Installs on All Platforms #8544
• Prerequisite for Fix/8544 windows unprivileged reenroll #9623 -> follow up windows PR

[mergify]

This pull request does not have a backport label. Could you fix it @kaanyalti? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[ebeahan]

Buildkite test this

[elastic-sonarqube]

Quality Gate passed

Issues
2 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
77.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: ce209c4

Failed CI Steps

• arm:sudo: default

History

• 💔 Build #26026 failed ce209c4
• 💔 Build #26013 failed 1a90e8c
• 💚 Build #25883 succeeded 84d2dd7
• 💔 Build #25856 failed 8cc7a4d
• 💔 Build #25855 failed e27504c

cc @kaanyalti

[blakerouse]

Code looks good. I am building it now, and will run it before +1.

[michalpristas]

as blake seems to be testing it as well please wait for him to get back to you

[blakerouse]

I was able to test this on Linux arm64 and it is working as expected. After re-enrollment as root on an unprivileged installation all files written to disk have the correct permissions and the service is running successfully.

[github-actions]

@Mergifyio backport 8.18 8.19 9.0 9.1

[mergify]

backport 8.18 8.19 9.0 9.1

✅ Backports have been created

Details

• #9767 [8.18] (backport #9604) Fix/8544 mac linux unprivileged reenroll has been created for branch 8.18 but encountered conflicts
• #9768 [8.19] (backport #9604) Fix/8544 mac linux unprivileged reenroll has been created for branch 8.19 but encountered conflicts
• #9769 [9.0] (backport #9604) Fix/8544 mac linux unprivileged reenroll has been created for branch 9.0 but encountered conflicts
• #9770 [9.1] (backport #9604) Fix/8544 mac linux unprivileged reenroll has been created for branch 9.1 but encountered conflicts