elastic · kaanyalti · Sep 8, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/...gments/1756313785-enable-root-user-to-re-enroll-unprivileged-agent-for-mac-and-linux.yaml b/...gments/1756313785-enable-root-user-to-re-enroll-unprivileged-agent-for-mac-and-linux.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: enable root user to re-enroll unprivileged agent for mac and linux
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: "elastic-agent"
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/9603
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/8544
@@ -365,6 +365,40 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
 	return args
 }
 
+// getFileOwnFromCmdFunc, getOwnerFromPathFunc and computeFixPermissions are for
+// testability. Instead of directly executing the code block in doEnroll, we
+// are calling computeFixPermissions. computeFixPermissions is tested on its own.
+type getFileOwnerFromCmdFunc func(*cobra.Command) (utils.FileOwner, error)
+type getOwnerFromPathFunc func(string) (utils.FileOwner, error)
+
+func computeFixPermissions(fromInstall bool, hasRoot bool, os string, getFileOwnerFromCmd getFileOwnerFromCmdFunc, getOwnerFromPath getOwnerFromPathFunc, cmd *cobra.Command) (*utils.FileOwner, error) {
+	// On MacOS Ventura and above, fixing the permissions on enrollment during installation fails with the error:
+	// Error: failed to fix permissions: chown /Library/Elastic/Agent/data/elastic-agent-c13f91/elastic-agent.app: operation not permitted
+	// This is because we are fixing permissions twice, once during installation and again during the enrollment step.
+	// When we are enrolling as part of installation on MacOS, skip the second attempt to fix permissions.
+	if fromInstall {
+		if os == "darwin" {
+			return nil, nil
+		}
+		perms, err := getFileOwnerFromCmd(cmd)
+		if err != nil {
+			// no context is added because the error is clear and user facing
+			return nil, err
+		}
+		return &perms, nil
+	}
+
+	if hasRoot && os != "windows" { // windows is a no-op, will be addressed in a separate PR
+		perms, err := getOwnerFromPath(paths.Top())
+		if err != nil {
+			return nil, fmt.Errorf("failed to get owner from path %s: %w", paths.Top(), err)
+		}
+		return &perms, nil
+	}
+
+	return nil, nil
+}
+
 func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 	err := validateEnrollFlags(cmd)
 	if err != nil {
@@ -373,24 +407,6 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 
 	fromInstall, _ := cmd.Flags().GetBool(fromInstallArg)
 
-	hasRoot, err := utils.HasRoot()
-	if err != nil {
-		return fmt.Errorf("checking if running with root/Administrator privileges: %w", err)
-	}
-	if hasRoot && !fromInstall {
-		binPath, err := os.Executable()
-		if err != nil {
-			return fmt.Errorf("error while getting executable path: %w", err)
-		}
-		isOwner, err := isOwnerExec(binPath)
-		if err != nil {
-			return fmt.Errorf("ran into an error while figuring out if user is allowed to execute the enroll command: %w", err)
-		}
-		if !isOwner {
-			return UserOwnerMismatchError
-		}
-	}
-
 	pathConfigFile := paths.ConfigFile()
 	rawConfig, err := config.LoadFile(pathConfigFile)
 	if err != nil {
@@ -491,21 +507,14 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 		ctx = eCtx
 	}
 
-	// On MacOS Ventura and above, fixing the permissions on enrollment during installation fails with the error:
-	//  Error: failed to fix permissions: chown /Library/Elastic/Agent/data/elastic-agent-c13f91/elastic-agent.app: operation not permitted
-	// This is because we are fixing permissions twice, once during installation and again during the enrollment step.
-	// When we are enrolling as part of installation on MacOS, skip the second attempt to fix permissions.
-	var fixPermissions *utils.FileOwner
-	if fromInstall {
-		perms, err := getFileOwnerFromCmd(cmd)
-		if err != nil {
-			// no context is added because the error is clear and user facing
-			return err
-		}
-		fixPermissions = &perms
+	hasRoot, err := utils.HasRoot()
+	if err != nil {
+		return fmt.Errorf("checking if running with root/Administrator privileges: %w", err)
 	}
-	if runtime.GOOS == "darwin" {
-		fixPermissions = nil
+
+	fixPermissions, err := computeFixPermissions(fromInstall, hasRoot, runtime.GOOS, getFileOwnerFromCmd, getOwnerFromPath, cmd)
+	if err != nil {
+		return err
 	}
 
 	options := enrollCmdOption{