Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set default umask of 0027 for all Beats-created files #14119

Merged
merged 15 commits into from
Oct 24, 2019

Conversation

ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Oct 17, 2019

Resolves #14005

This PR sets a default umask of 0027 on non-Windows systems for all Beats. An individual Beat may choose to override this default umask via the libbeat/cmd/instance.Settings.Umask field.

This means that, by default:

  • any files created by any Beat will have at most 0640 permissions, and
  • any directories created by any Beat will have at most 0750 permissions.

@ycombinator ycombinator changed the title Set umask of 027 for all Beats-created files Set umask of 0027 for all Beats-created files Oct 18, 2019
@ycombinator ycombinator changed the title Set umask of 0027 for all Beats-created files Set default umask of 0027 for all Beats-created files Oct 18, 2019
@ycombinator ycombinator marked this pull request as ready for review October 18, 2019 19:04
@ycombinator ycombinator requested review from urso and ph October 18, 2019 19:04
Copy link
Contributor

@dedemorton dedemorton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM


import "syscall"

func setUmask(newmask int) int {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should return an error instead of a number. See: syscall.Errno for example.

@@ -147,6 +147,7 @@ func initRand() {
// instance.
// XXX Move this as a *Beat method?
func Run(settings Settings, bt beat.Creator) error {
setUmaskWithSettings(settings)
Copy link

@urso urso Oct 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we log failures? E.g. add an ErrNotImplemented and only log if err != nil && err != ErrNotImplemented.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think this is a good idea. Thanks, will implement.

@ph
Copy link
Contributor

ph commented Oct 21, 2019

implementation look good, I would be + to add @urso comment.


func setUmask(newmask int) error {
// No way to set umask on Windows
return types.ErrNotImplemented
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an internal error. We should not reuse sentinal errors from 3rd party packages (packages vendored by beats).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, wasn't sure about whether this was a good idea or not. Will change.

@ycombinator
Copy link
Contributor Author

@urso @ph I've addressed the feedback so far. Please re-review when you get a chance. Thanks!

Copy link
Contributor

@ph ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ycombinator the code LGTM but can you add a changelog?

@ycombinator
Copy link
Contributor Author

can you add a changelog?

Thanks, 🤦‍♂, I keep forgetting to do that!

@ycombinator
Copy link
Contributor Author

Travis CI is green. All jobs except x-pack/agent are green on Jenkins CI as well. Looks like that job is yellow for master builds as well.

So merging this PR.

@ycombinator ycombinator merged commit 2bb87cf into elastic:master Oct 24, 2019
ycombinator added a commit that referenced this pull request Oct 28, 2019
…14216)

* Set default umask of 0027 for all Beats-created files (#14119)

* Set umask of 027 (on non-windows systems) for all Beats-created files

* Fixing comment

* Update tests

* Updating docs for filebeat.registry.file_permissions

* Denoting octal

* Allow beats to override umask

* Removing accidentally-committed file

* Adding system test for default umask

* Make setUmask return error

* Defining ErrNotImplemented locally

* Defining not implemented error locally

* Fixing typo

* Skip umask test on Windows

* Adding missed imports

* Adding CHANGELOG entry

* Fixing up CHANGELOG
@ycombinator ycombinator deleted the lb-umask branch December 25, 2019 11:09
@tomrade
Copy link

tomrade commented Feb 17, 2020

How does this affect the "file" output as I have been unable to make log file of 0644 and I figured this was why?
I want a file with this as im writing out auditbeat json which is then forwarded by rsyslog (which does not run as root, but auditbeat does run as root)

@ycombinator
Copy link
Contributor Author

@tomrade I just tested this with an older version of Metricbeat (version 7.2.0, released before the change in this PR was made). And I also tested the latest version of Metricbeat (built from master). The permissions of the resulting folder + log file under it were the same between versions. So this change has no effect on the file output's behavior.

jorgemarey pushed a commit to jorgemarey/beats that referenced this pull request Jun 8, 2020
* Set umask of 027 (on non-windows systems) for all Beats-created files

* Fixing comment

* Update tests

* Updating docs for filebeat.registry.file_permissions

* Denoting octal

* Allow beats to override umask

* Removing accidentally-committed file

* Adding system test for default umask

* Make setUmask return error

* Defining ErrNotImplemented locally

* Defining not implemented error locally

* Fixing typo

* Skip umask test on Windows

* Adding missed imports

* Adding CHANGELOG entry
@larryon
Copy link

larryon commented May 13, 2021

Would be good to document these kind of changes

rdner pushed a commit that referenced this pull request Dec 17, 2021
…sk (#20584) (#28347)

Changes implemented in the (#14119) made all Beats-created files and folders apply an umask of 0027 (on POSIX systems).

Co-authored-by: dplavcic <dplavcic@users.noreply.github.com>
mergify bot pushed a commit that referenced this pull request Dec 17, 2021
…sk (#20584) (#28347)

Changes implemented in the (#14119) made all Beats-created files and folders apply an umask of 0027 (on POSIX systems).

Co-authored-by: dplavcic <dplavcic@users.noreply.github.com>
(cherry picked from commit ecd68db)
rdner pushed a commit that referenced this pull request Dec 20, 2021
…sk (#20584) (#28347) (#29503)

Changes implemented in the (#14119) made all Beats-created files and folders apply an umask of 0027 (on POSIX systems).

Co-authored-by: dplavcic <dplavcic@users.noreply.github.com>
(cherry picked from commit ecd68db)

Co-authored-by: Dalibor P <9079844+dplavcic@users.noreply.github.com>
@rdner rdner mentioned this pull request Jan 5, 2022
6 tasks
rdner added a commit to rdner/beats that referenced this pull request Jan 14, 2022
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
…14119) (elastic#14216)

* Set default umask of 0027 for all Beats-created files (elastic#14119)

* Set umask of 027 (on non-windows systems) for all Beats-created files

* Fixing comment

* Update tests

* Updating docs for filebeat.registry.file_permissions

* Denoting octal

* Allow beats to override umask

* Removing accidentally-committed file

* Adding system test for default umask

* Make setUmask return error

* Defining ErrNotImplemented locally

* Defining not implemented error locally

* Fixing typo

* Skip umask test on Windows

* Adding missed imports

* Adding CHANGELOG entry

* Fixing up CHANGELOG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Services should run with UMask of 0027 or more restrictive.
6 participants