From 3300b4dad2a7953aab8fdc98fa83227d2c49f3a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= <romain@blogreen.org>
Date: Fri, 18 Aug 2023 17:13:45 -1000
Subject: [PATCH] Remove spurious SGID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building rpm.

It makes more sense to stick to the default permissions and remove this
personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
---
 distribution/packages/build.gradle                        | 8 ++++----
 distribution/packages/src/deb/lintian/opensearch          | 8 ++++----
 .../test/java/org/opensearch/packaging/util/Packages.java | 4 ++--
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/distribution/packages/build.gradle b/distribution/packages/build.gradle
index 7914fcc172ef4..262ad6c802bbb 100644
--- a/distribution/packages/build.gradle
+++ b/distribution/packages/build.gradle
@@ -213,7 +213,7 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) {
     configurationFile '/etc/opensearch/jvm.options'
     configurationFile '/etc/opensearch/log4j2.properties'
     from("${packagingFiles}") {
-      dirMode 02750
+      dirMode 0750
       into('/etc')
       permissionGroup 'opensearch'
       includeEmptyDirs true
@@ -223,7 +223,7 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) {
     }
     from("${packagingFiles}/etc/opensearch") {
       into('/etc/opensearch')
-      dirMode 02750
+      dirMode 0750
       fileMode 0660
       permissionGroup 'opensearch'
       includeEmptyDirs true
@@ -281,8 +281,8 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) {
         dirMode mode
       }
     }
-    copyEmptyDir('/var/log/opensearch', 'opensearch', 'opensearch', 02750)
-    copyEmptyDir('/var/lib/opensearch', 'opensearch', 'opensearch', 02750)
+    copyEmptyDir('/var/log/opensearch', 'opensearch', 'opensearch', 0750)
+    copyEmptyDir('/var/lib/opensearch', 'opensearch', 'opensearch', 0750)
     copyEmptyDir('/usr/share/opensearch/plugins', 'root', 'root', 0755)
 
     into '/usr/share/opensearch'
diff --git a/distribution/packages/src/deb/lintian/opensearch b/distribution/packages/src/deb/lintian/opensearch
index 854b23131ecbc..e6db8e8c6b322 100644
--- a/distribution/packages/src/deb/lintian/opensearch
+++ b/distribution/packages/src/deb/lintian/opensearch
@@ -15,11 +15,11 @@ missing-dep-on-jarwrapper
 
 # we prefer to not make our config and log files world readable
 non-standard-file-perm etc/default/opensearch 0660 != 0644
-non-standard-dir-perm etc/opensearch/ 2750 != 0755
-non-standard-dir-perm etc/opensearch/jvm.options.d/ 2750 != 0755
+non-standard-dir-perm etc/opensearch/ 0750 != 0755
+non-standard-dir-perm etc/opensearch/jvm.options.d/ 0750 != 0755
 non-standard-file-perm etc/opensearch/*
-non-standard-dir-perm var/lib/opensearch/ 2750 != 0755
-non-standard-dir-perm var/log/opensearch/ 2750 != 0755
+non-standard-dir-perm var/lib/opensearch/ 0750 != 0755
+non-standard-dir-perm var/log/opensearch/ 0750 != 0755
 executable-is-not-world-readable etc/init.d/opensearch 0750
 non-standard-file-permissions-for-etc-init.d-script etc/init.d/opensearch 0750 != 0755
 
diff --git a/qa/os/src/test/java/org/opensearch/packaging/util/Packages.java b/qa/os/src/test/java/org/opensearch/packaging/util/Packages.java
index b80ae422bda9a..e9ebf28042b46 100644
--- a/qa/os/src/test/java/org/opensearch/packaging/util/Packages.java
+++ b/qa/os/src/test/java/org/opensearch/packaging/util/Packages.java
@@ -194,11 +194,11 @@ private static void verifyInstallation(Installation opensearch, Distribution dis
 
         // we shell out here because java's posix file permission view doesn't support special modes
         assertThat(opensearch.config, file(Directory, "root", "opensearch", p750));
-        assertThat(sh.run("find \"" + opensearch.config + "\" -maxdepth 0 -printf \"%m\"").stdout, containsString("2750"));
+        assertThat(sh.run("find \"" + opensearch.config + "\" -maxdepth 0 -printf \"%m\"").stdout, containsString("750"));
 
         final Path jvmOptionsDirectory = opensearch.config.resolve("jvm.options.d");
         assertThat(jvmOptionsDirectory, file(Directory, "root", "opensearch", p750));
-        assertThat(sh.run("find \"" + jvmOptionsDirectory + "\" -maxdepth 0 -printf \"%m\"").stdout, containsString("2750"));
+        assertThat(sh.run("find \"" + jvmOptionsDirectory + "\" -maxdepth 0 -printf \"%m\"").stdout, containsString("750"));
 
         Stream.of("opensearch.keystore", "opensearch.yml", "jvm.options", "log4j2.properties")
             .forEach(configFile -> assertThat(opensearch.config(configFile), file(File, "root", "opensearch", p660)));