Use 0600 for files created by Beats

CHANGELOG.asciidoc

@@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 - The limit for the number of fields is increased via the mapping template. {pull}3275[3275]
 - Updated to Go 1.7.4. {pull}3277[3277]
 - Added a NOTICE file containing the notices and licenses of the dependencies. {pull}3334[3334].
+- Files created by Beats (logs, registry, file output) will have 0600 permissions. {pull}3387[3387].
 
 *Metricbeat*
 

filebeat/registrar/registrar.go

@@ -57,7 +57,7 @@ func (r *Registrar) Init() error {
 
 	// Create directory if it does not already exist.
 	registryPath := filepath.Dir(r.registryFile)
-	err := os.MkdirAll(registryPath, 0755)
+	err := os.MkdirAll(registryPath, 0750)
 	if err != nil {
 		return fmt.Errorf("Failed to created registry file dir %s: %v", registryPath, err)
 	}
@@ -298,7 +298,7 @@ func (r *Registrar) writeRegistry() error {
 	logp.Debug("registrar", "Write registry file: %s", r.registryFile)
 
 	tempfile := r.registryFile + ".new"
-	f, err := os.Create(tempfile)
+	f, err := os.OpenFile(tempfile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		logp.Err("Failed to create tempfile (%s) for writing: %s", tempfile, err)
 		return err

libbeat/logp/file_rotator.go

@@ -31,7 +31,7 @@ func (rotator *FileRotator) CreateDirectory() error {
 	}
 
 	if os.IsNotExist(err) {
-		err = os.MkdirAll(rotator.Path, 0755)
+		err = os.MkdirAll(rotator.Path, 0750)
 		if err != nil {
 			return err
 		}
@@ -145,7 +145,7 @@ func (rotator *FileRotator) Rotate() error {
 
 	// create the new file
 	path := rotator.FilePath(0)
-	current, err := os.Create(path)
+	current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}

libbeat/paths/paths.go

@@ -55,15 +55,15 @@ func New() *Path {
 
 // InitPaths sets the default paths in the configuration based on CLI flags,
 // configuration file and default values. It also tries to create the data
-// path with mode 0755 and returns an error on failure.
+// path with mode 0750 and returns an error on failure.
 func (paths *Path) InitPaths(cfg *Path) error {
 	err := paths.initPaths(cfg)
 	if err != nil {
 		return err
 	}
 
 	// make sure the data path exists
-	err = os.MkdirAll(paths.Data, 0755)
+	err = os.MkdirAll(paths.Data, 0750)
 	if err != nil {
 		return fmt.Errorf("Failed to create data path %s: %v", paths.Data, err)
 	}
@@ -73,7 +73,7 @@ func (paths *Path) InitPaths(cfg *Path) error {
 
 // InitPaths sets the default paths in the configuration based on CLI flags,
 // configuration file and default values. It also tries to create the data
-// path with mode 0755 and returns an error on failure.
+// path with mode 0750 and returns an error on failure.
 func InitPaths(cfg *Path) error {
 	return Paths.InitPaths(cfg)
 }

winlogbeat/checkpoint/checkpoint.go

@@ -188,7 +188,7 @@ func (c *Checkpoint) flush() error {
 	if os.IsNotExist(err) {
 		// Try to create directory if it does not exist.
 		if createDirErr := c.createDir(); createDirErr == nil {
-			file, err = os.Create(tempFile)
+			file, err = create(tempFile)
 		}
 	}
 

winlogbeat/checkpoint/file_unix.go

@@ -5,5 +5,5 @@ package checkpoint
 import "os"
 
 func create(path string) (*os.File, error) {
-	return os.Create(path)
+	return os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 }