From c004453795ac82485db4b01e121b2f55fe2b0b1a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 27 Feb 2017 22:30:56 -0500 Subject: [PATCH 1/2] Exempt root owned config files from ownership checker If a config file is owned by root, but the process is running as a non-privileged user the Beat should run. This change exempts root from the ownership test. This makes it possible to drop privileges before executing the beat. --- libbeat/common/config.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libbeat/common/config.go b/libbeat/common/config.go index a35888da239..7a4849cfcd1 100644 --- a/libbeat/common/config.go +++ b/libbeat/common/config.go @@ -6,6 +6,7 @@ import ( "flag" "fmt" "os" + "path/filepath" "runtime" "strings" @@ -411,9 +412,9 @@ func filterDebugObject(c interface{}) { } } -// ownerHasExclusiveWritePerms asserts that the current user is the +// ownerHasExclusiveWritePerms asserts that the current user or root is the // owner of the config file and that the config file is (at most) writable by -// the owner (e.g. group and other cannot have write access). +// the owner or root (e.g. group and other cannot have write access). func ownerHasExclusiveWritePerms(name string) error { if runtime.GOOS == "windows" { return nil @@ -428,16 +429,21 @@ func ownerHasExclusiveWritePerms(name string) error { fileUID, _ := info.UID() perm := info.Mode().Perm() - if euid != fileUID { + if fileUID != 0 && euid != fileUID { return fmt.Errorf(`config file ("%v") must be owned by the beat user `+ - `(uid=%v)`, name, euid) + `(uid=%v) or root`, name, euid) } // Test if group or other have write permissions. if perm&0022 > 0 { + nameAbs, err := filepath.Abs(name) + if err != nil { + nameAbs = name + } return fmt.Errorf(`config file ("%v") can only be writable by the `+ - `owner but the permissions are "%v"`, - name, perm) + `owner but the permissions are "%v" (to fix the permissions use: `+ + `'chmod go-w %v')`, + name, perm, nameAbs) } return nil From b6644d3b23dfdb632743a8977821cac56320142a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 28 Feb 2017 08:57:00 -0500 Subject: [PATCH 2/2] Update changelog entry for the file ownership and permission checker. --- CHANGELOG.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 64908e65024..20cbd0c9a15 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -15,7 +15,8 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff] *Affecting all Beats* - Change beat generator. Use `$GOPATH/src/github.com/elastic/beats/script/generate.py` to generate a beat. {pull}3452[3452] -- Configuration files must not be writable by other users. {pull}3544[3544] +- Configuration files must be owned by the user running the beat or by root, and + they must not be writable by others. {pull}3544[3544] {pull}3689[3689] *Filebeat* - Always use absolute path for event and registry. This can lead to issues when relative paths were used before. {pull}3328[3328]