From 7b2eda94ea97ed0a64cc91af638fa1fe0915ea98 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 28 Feb 2017 11:10:06 -0500 Subject: [PATCH] Exempt root owned config files from ownership checker (#3689) * Exempt root owned config files from ownership checker If a config file is owned by root, but the process is running as a non-privileged user the Beat should run. This change exempts root from the ownership test. This makes it possible to drop privileges before executing the beat. * Update changelog entry for the file ownership and permission checker. (cherry picked from commit c10d47af73f51b3db2a46ffb606e771bb8d397b3) --- CHANGELOG.asciidoc | 3 ++- libbeat/common/config.go | 18 ++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 721426b8b3b6..35f349326fc5 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -15,7 +15,8 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff] *Affecting all Beats* - Change beat generator. Use `$GOPATH/src/github.com/elastic/beats/script/generate.py` to generate a beat. {pull}3452[3452] -- Configuration files must not be writable by other users. {pull}3544[3544] +- Configuration files must be owned by the user running the beat or by root, and + they must not be writable by others. {pull}3544[3544] {pull}3689[3689] *Filebeat* - Always use absolute path for event and registry. This can lead to issues when relative paths were used before. {pull}3328[3328] diff --git a/libbeat/common/config.go b/libbeat/common/config.go index a35888da2391..7a4849cfcd12 100644 --- a/libbeat/common/config.go +++ b/libbeat/common/config.go @@ -6,6 +6,7 @@ import ( "flag" "fmt" "os" + "path/filepath" "runtime" "strings" @@ -411,9 +412,9 @@ func filterDebugObject(c interface{}) { } } -// ownerHasExclusiveWritePerms asserts that the current user is the +// ownerHasExclusiveWritePerms asserts that the current user or root is the // owner of the config file and that the config file is (at most) writable by -// the owner (e.g. group and other cannot have write access). +// the owner or root (e.g. group and other cannot have write access). func ownerHasExclusiveWritePerms(name string) error { if runtime.GOOS == "windows" { return nil @@ -428,16 +429,21 @@ func ownerHasExclusiveWritePerms(name string) error { fileUID, _ := info.UID() perm := info.Mode().Perm() - if euid != fileUID { + if fileUID != 0 && euid != fileUID { return fmt.Errorf(`config file ("%v") must be owned by the beat user `+ - `(uid=%v)`, name, euid) + `(uid=%v) or root`, name, euid) } // Test if group or other have write permissions. if perm&0022 > 0 { + nameAbs, err := filepath.Abs(name) + if err != nil { + nameAbs = name + } return fmt.Errorf(`config file ("%v") can only be writable by the `+ - `owner but the permissions are "%v"`, - name, perm) + `owner but the permissions are "%v" (to fix the permissions use: `+ + `'chmod go-w %v')`, + name, perm, nameAbs) } return nil