fix(installer): Make policy metadata files root-owned & world-readable

DataDog · Dec 18, 2024 · bcd19da · bcd19da
1 parent 8949577
commit bcd19da
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 15 deletions.
diff --git a/pkg/fleet/internal/cdn/cdn.go b/pkg/fleet/internal/cdn/cdn.go
@@ -165,28 +165,17 @@ func (c *CDN) Close() error {
 }
 
 // writePolicyMetadata writes the policy metadata to the given directory
-// and makes it readable to dd-agent
+// and makes it world-readable
 func writePolicyMetadata(config Config, dir string) error {
-	ddAgentUID, ddAgentGID, err := getAgentIDs()
-	if err != nil {
-		return fmt.Errorf("error getting dd-agent user and group IDs: %w", err)
-	}
-
 	state := config.State()
 	stateBytes, err := json.Marshal(state)
 	if err != nil {
 		return fmt.Errorf("could not marshal state: %w", err)
 	}
-	err = os.WriteFile(filepath.Join(dir, policyMetadataFilename), stateBytes, 0440)
+	err = os.WriteFile(filepath.Join(dir, policyMetadataFilename), stateBytes, 0444)
 	if err != nil {
 		return fmt.Errorf("could not write %s: %w", policyMetadataFilename, err)
 	}
-	if runtime.GOOS != "windows" {
-		err = os.Chown(filepath.Join(dir, policyMetadataFilename), ddAgentUID, ddAgentGID)
-		if err != nil {
-			return fmt.Errorf("could not chown %s: %w", policyMetadataFilename, err)
-		}
-	}
 	return nil
 }
 

diff --git a/test/new-e2e/tests/installer/unix/upgrade_scenario_test.go b/test/new-e2e/tests/installer/unix/upgrade_scenario_test.go
@@ -410,8 +410,8 @@ func (s *upgradeScenarioSuite) TestConfigUpgradeSuccessful() {
 	state.AssertDirExists("/etc/datadog-agent/managed/datadog-agent", 0755, "root", "root")
 	state.AssertSymlinkExists("/etc/datadog-agent/managed/datadog-agent/stable", "/etc/datadog-agent/managed/datadog-agent/e94406c45ae766b7d34d2793e4759b9c4d15ed5d5e2b7f73ce1bf0e6836f728d", "root", "root")
 	// Verify metadata
-	state.AssertFileExists("/etc/datadog-agent/managed/datadog-agent/e94406c45ae766b7d34d2793e4759b9c4d15ed5d5e2b7f73ce1bf0e6836f728d/policy.metadata", 0440, "dd-agent", "dd-agent")
-	file := s.Env().RemoteHost.MustExecute("sudo cat /etc/datadog-agent/managed/datadog-agent/e94406c45ae766b7d34d2793e4759b9c4d15ed5d5e2b7f73ce1bf0e6836f728d/policy.metadata")
+	state.AssertFileExists("/etc/datadog-agent/managed/datadog-agent/e94406c45ae766b7d34d2793e4759b9c4d15ed5d5e2b7f73ce1bf0e6836f728d/policy.metadata", 0444, "root", "root")
+	file := s.Env().RemoteHost.MustExecute("cat /etc/datadog-agent/managed/datadog-agent/e94406c45ae766b7d34d2793e4759b9c4d15ed5d5e2b7f73ce1bf0e6836f728d/policy.metadata")
 	policiesState := &pbgo.PoliciesState{}
 	err := json.Unmarshal([]byte(file), policiesState)
 	require.NoError(s.T(), err)