Skip to content

Commit

Permalink
Exempt root owned config files from ownership checker (elastic#3689)
Browse files Browse the repository at this point in the history
* Exempt root owned config files from ownership checker

If a config file is owned by root, but the process is running as a non-privileged user the Beat should run. This change exempts root from the ownership test. This makes it possible to drop privileges before executing the beat.

* Update changelog entry for the file ownership and permission checker.
  • Loading branch information
andrewkroh authored and tsg committed Feb 28, 2017
1 parent ee99b08 commit c10d47a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
*Affecting all Beats*

- Change beat generator. Use `$GOPATH/src/github.com/elastic/beats/script/generate.py` to generate a beat. {pull}3452[3452]
- Configuration files must not be writable by other users. {pull}3544[3544]
- Configuration files must be owned by the user running the beat or by root, and
they must not be writable by others. {pull}3544[3544] {pull}3689[3689]

*Filebeat*
- Always use absolute path for event and registry. This can lead to issues when relative paths were used before. {pull}3328[3328]
Expand Down
18 changes: 12 additions & 6 deletions libbeat/common/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"flag"
"fmt"
"os"
"path/filepath"
"runtime"
"strings"

Expand Down Expand Up @@ -411,9 +412,9 @@ func filterDebugObject(c interface{}) {
}
}

// ownerHasExclusiveWritePerms asserts that the current user is the
// ownerHasExclusiveWritePerms asserts that the current user or root is the
// owner of the config file and that the config file is (at most) writable by
// the owner (e.g. group and other cannot have write access).
// the owner or root (e.g. group and other cannot have write access).
func ownerHasExclusiveWritePerms(name string) error {
if runtime.GOOS == "windows" {
return nil
Expand All @@ -428,16 +429,21 @@ func ownerHasExclusiveWritePerms(name string) error {
fileUID, _ := info.UID()
perm := info.Mode().Perm()

if euid != fileUID {
if fileUID != 0 && euid != fileUID {
return fmt.Errorf(`config file ("%v") must be owned by the beat user `+
`(uid=%v)`, name, euid)
`(uid=%v) or root`, name, euid)
}

// Test if group or other have write permissions.
if perm&0022 > 0 {
nameAbs, err := filepath.Abs(name)
if err != nil {
nameAbs = name
}
return fmt.Errorf(`config file ("%v") can only be writable by the `+
`owner but the permissions are "%v"`,
name, perm)
`owner but the permissions are "%v" (to fix the permissions use: `+
`'chmod go-w %v')`,
name, perm, nameAbs)
}

return nil
Expand Down

0 comments on commit c10d47a

Please sign in to comment.