From 0831fcb723d5f79c7c24a710166670fdb010cd54 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Wed, 23 Nov 2016 13:38:03 -0500
Subject: [PATCH 1/2] Use 0600 for files created by Beats

This change applies to registry, log, and output files. Previously files were created with 0644.
---
 filebeat/registrar/registrar.go     | 4 ++--
 libbeat/logp/file_rotator.go        | 4 ++--
 libbeat/paths/paths.go              | 6 +++---
 winlogbeat/checkpoint/checkpoint.go | 2 +-
 winlogbeat/checkpoint/file_unix.go  | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/filebeat/registrar/registrar.go b/filebeat/registrar/registrar.go
index 4a9bb5b1c73..452dfa844dc 100644
--- a/filebeat/registrar/registrar.go
+++ b/filebeat/registrar/registrar.go
@@ -57,7 +57,7 @@ func (r *Registrar) Init() error {
 
 	// Create directory if it does not already exist.
 	registryPath := filepath.Dir(r.registryFile)
-	err := os.MkdirAll(registryPath, 0755)
+	err := os.MkdirAll(registryPath, 0750)
 	if err != nil {
 		return fmt.Errorf("Failed to created registry file dir %s: %v", registryPath, err)
 	}
@@ -298,7 +298,7 @@ func (r *Registrar) writeRegistry() error {
 	logp.Debug("registrar", "Write registry file: %s", r.registryFile)
 
 	tempfile := r.registryFile + ".new"
-	f, err := os.Create(tempfile)
+	f, err := os.OpenFile(tempfile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		logp.Err("Failed to create tempfile (%s) for writing: %s", tempfile, err)
 		return err
diff --git a/libbeat/logp/file_rotator.go b/libbeat/logp/file_rotator.go
index 9165fc6af7d..af191d3b275 100644
--- a/libbeat/logp/file_rotator.go
+++ b/libbeat/logp/file_rotator.go
@@ -31,7 +31,7 @@ func (rotator *FileRotator) CreateDirectory() error {
 	}
 
 	if os.IsNotExist(err) {
-		err = os.MkdirAll(rotator.Path, 0755)
+		err = os.MkdirAll(rotator.Path, 0750)
 		if err != nil {
 			return err
 		}
@@ -145,7 +145,7 @@ func (rotator *FileRotator) Rotate() error {
 
 	// create the new file
 	path := rotator.FilePath(0)
-	current, err := os.Create(path)
+	current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
diff --git a/libbeat/paths/paths.go b/libbeat/paths/paths.go
index 93807c698ad..638f9afc093 100644
--- a/libbeat/paths/paths.go
+++ b/libbeat/paths/paths.go
@@ -55,7 +55,7 @@ func New() *Path {
 
 // InitPaths sets the default paths in the configuration based on CLI flags,
 // configuration file and default values. It also tries to create the data
-// path with mode 0755 and returns an error on failure.
+// path with mode 0750 and returns an error on failure.
 func (paths *Path) InitPaths(cfg *Path) error {
 	err := paths.initPaths(cfg)
 	if err != nil {
@@ -63,7 +63,7 @@ func (paths *Path) InitPaths(cfg *Path) error {
 	}
 
 	// make sure the data path exists
-	err = os.MkdirAll(paths.Data, 0755)
+	err = os.MkdirAll(paths.Data, 0750)
 	if err != nil {
 		return fmt.Errorf("Failed to create data path %s: %v", paths.Data, err)
 	}
@@ -73,7 +73,7 @@ func (paths *Path) InitPaths(cfg *Path) error {
 
 // InitPaths sets the default paths in the configuration based on CLI flags,
 // configuration file and default values. It also tries to create the data
-// path with mode 0755 and returns an error on failure.
+// path with mode 0750 and returns an error on failure.
 func InitPaths(cfg *Path) error {
 	return Paths.InitPaths(cfg)
 }
diff --git a/winlogbeat/checkpoint/checkpoint.go b/winlogbeat/checkpoint/checkpoint.go
index 4d473a71833..d521c68f43b 100644
--- a/winlogbeat/checkpoint/checkpoint.go
+++ b/winlogbeat/checkpoint/checkpoint.go
@@ -188,7 +188,7 @@ func (c *Checkpoint) flush() error {
 	if os.IsNotExist(err) {
 		// Try to create directory if it does not exist.
 		if createDirErr := c.createDir(); createDirErr == nil {
-			file, err = os.Create(tempFile)
+			file, err = create(tempFile)
 		}
 	}
 
diff --git a/winlogbeat/checkpoint/file_unix.go b/winlogbeat/checkpoint/file_unix.go
index d16c821dc53..8e6e76c8d74 100644
--- a/winlogbeat/checkpoint/file_unix.go
+++ b/winlogbeat/checkpoint/file_unix.go
@@ -5,5 +5,5 @@ package checkpoint
 import "os"
 
 func create(path string) (*os.File, error) {
-	return os.Create(path)
+	return os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 }

From ac86bf5a7e68eadb569d2b8c9692a45ec6ba13ae Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Mon, 16 Jan 2017 15:18:46 -0500
Subject: [PATCH 2/2] Add changelog entry.

---
 CHANGELOG.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 36e76e6a476..0eab7854911 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 - The limit for the number of fields is increased via the mapping template. {pull}3275[3275]
 - Updated to Go 1.7.4. {pull}3277[3277]
 - Added a NOTICE file containing the notices and licenses of the dependencies. {pull}3334[3334].
+- Files created by Beats (logs, registry, file output) will have 0600 permissions. {pull}3387[3387].
 
 *Metricbeat*