World writable files being written by kibana

[scathatheworm]

Kibana version:
Observed in 7.4.0 - 7.5.2

Elasticsearch version:
7.4.0 - 7.5.2

Server OS version:
CentOS Linux release 7.7.1908 (Core)

Browser version:
nothing to do with browser

Browser OS version:
nothing to do with browser

Original install method (e.g. download page, yum, from source, etc.):
yum from elastic repo

Describe the bug:
When going through an audit, we have found a lot of world writable(o+w, observed permissions 666 octal) files present in /usr/share/kibana/optimize/bundle.
mainly images but more worringly code files:
/usr/share/kibana/optimize/bundles/light_theme.bundle.js
/usr/share/kibana/optimize/bundles/dark_theme.bundle.js
/usr/share/kibana/optimize/bundles/kibana.bundle.js
/usr/share/kibana/optimize/bundles/maps.bundle.js
/usr/share/kibana/optimize/bundles/uptime.bundle.js
/usr/share/kibana/optimize/bundles/apm.bundle.js
/usr/share/kibana/optimize/bundles/commons.bundle.js
/usr/share/kibana/optimize/bundles/ml.bundle.js
/usr/share/kibana/optimize/bundles/infra.bundle.js
/usr/share/kibana/optimize/bundles/src/legacy/ui/public/field_editor/components/field_format_editor/editors/url/icons/go.png

Steps to reproduce:
Unsure.

Expected behavior:
Kibana should NOT create world writable files.

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

[elasticmachine]

Pinging @elastic/kibana-operations (Team:Operations)

[joshbressers]

Can you paste the results of

rpm -qi kibana
rpm -Vv kibana

Thanks

[scathatheworm]

Output of rpm -qi kibana:

Name        : kibana
Version     : 7.4.0
Release     : 1
Architecture: x86_64
Install Date: Fri 18 Oct 2019 04:15:56 PM CEST
Group       : default
Size        : 721891086
License     : Elastic License
Signature   : RSA/SHA512, Fri 27 Sep 2019 12:42:56 PM CEST, Key ID d27d666cd88e42b4
Source RPM  : kibana-7.4.0-1.src.rpm
Build Date  : Fri 27 Sep 2019 11:20:41 AM CEST
Build Host  : packer-virtualbox-iso-1559162487
Relocations : /
Packager    : Kibana Team <[email protected]>
Vendor      : Elasticsearch, Inc.
URL         : https://www.elastic.co
Summary     : Explore and visualize your Elasticsearch data
Description :
Explore and visualize your Elasticsearch data

Attached output of rpm -Vv kibana since it is quite large as a text paste.
rpm-Vv_kibana.out.gz

Another host with kibana 7.5.2:

Name        : kibana
Version     : 7.5.2
Release     : 1
Architecture: x86_64
Install Date: Fri 24 Jan 2020 02:02:45 PM CET
Group       : default
Size        : 653225397
License     : Elastic License
Signature   : RSA/SHA512, Wed 15 Jan 2020 02:56:49 PM CET, Key ID d27d666cd88e42b4
Source RPM  : kibana-7.5.2-1.src.rpm
Build Date  : Wed 15 Jan 2020 01:59:42 PM CET
Build Host  : packer-virtualbox-iso-1576086839
Relocations : /
Packager    : Kibana Team <[email protected]>
Vendor      : Elasticsearch, Inc.
URL         : https://www.elastic.co
Summary     : Explore and visualize your Elasticsearch data
Description :
Explore and visualize your Elasticsearch data

Attached output of rpm -Vv kibana.
rpm-Vv_kibana.out2.gz

[jbudz]

Starting in 8.0 we still have writes (unfortunately) but they're being moved to /var/lib/kibana instead. Related #25944

[tylersmalley]

@jbudz, was this resolved as part of #66614?

[jbudz]

Closing this out. #66614 and #78168 should resolve the issues here starting in 7.10.