Improve ownership and permissions of files in OpenSearch-Dashboards deb and rpm packages #3952
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smortex
requested review from
dblock,
peterzhuamazon,
bbarani,
gaiksaya,
rishabh6788,
zelinh,
jordarlu,
prudhvigodithi,
Divyaasm and
tianleh
as code owners
|
Cc @peterzhuamazon who worked on the OpenSearch part of this PR. |
Codecov Report
@@ Coverage Diff @@
## main #3952 +/- ##
=======================================
Coverage 92.06% 92.06%
=======================================
Files 187 187
Lines 5669 5673 +4
=======================================
+ Hits 5219 5223 +4
Misses 450 450 |
smortex
changed the title
smortex
changed the title
|
Taking a look on it soon. |
71 tasks
peterzhuamazon
requested changes
Sep 11, 2023
scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec
Outdated
Show resolved
Hide resolved
Similar to the issue fixed in opensearch-project#3898, OpenSearch-Dashboards package has unexpected files owner and permissions. This ensure the installed files are not owner by the opensearch-dashboards user (preventing the program to overwrite itself with malicious code if the service has some kind of vulnerability), and make sure logs and data cannot be accessed by random users. Signed-off-by: Romain Tartière <[email protected]>
smortex
force-pushed
the
deb-rpm-owner-permission-dashboards
branch
from
fc480af to
407415f
Compare
peterzhuamazon
approved these changes
Sep 11, 2023
This was referenced Sep 13, 2023
smortex
added a commit
to smortex/opensearch-build
that referenced
this pull request
Sep 19, 2023
In opensearch-project#3952, the permissions where changed to fix some inconsistencies in the .deb and .rpm packaging. This change restricted access to the configuration files (which where previously readable by all users) but failed to adjust the files permissions so that the service can access these files. Ensure the configuration directory and files belong to the root user and the opensearch-dashboards group Signed-off-by: Romain Tartière <[email protected]>
smortex
added a commit
to smortex/opensearch-build
that referenced
this pull request
Sep 19, 2023
In opensearch-project#3952, the permissions where changed to fix some inconsistencies in the .deb and .rpm packaging. This change restricted access to the configuration files (which where previously readable by all users) but failed to adjust the files ownership so that the service can access these files. Ensure the configuration directory and files belong to the root user and the opensearch-dashboards group Signed-off-by: Romain Tartière <[email protected]>
smortex
changed the title
peterzhuamazon
added a commit
to peterzhuamazon/opensearch-build
that referenced
this pull request
Sep 19, 2023
…packages (opensearch-project#3952)" This reverts commit b5f7ae2.
peterzhuamazon
pushed a commit
to peterzhuamazon/opensearch-build
that referenced
this pull request
Sep 19, 2023
…opensearch-project#3952) Signed-off-by: Romain Tartière <[email protected]>
peterzhuamazon
pushed a commit
to peterzhuamazon/opensearch-build
that referenced
this pull request
Sep 19, 2023
…opensearch-project#3952) Signed-off-by: Romain Tartière <[email protected]> Signed-off-by: Peter Zhu <[email protected]>
24 tasks
peterzhuamazon
pushed a commit
to peterzhuamazon/opensearch-build
that referenced
this pull request
Mar 14, 2024
…opensearch-project#3952) Signed-off-by: Romain Tartière <[email protected]> Signed-off-by: Peter Zhu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Similar to the issue fixed in #3898, OpenSearch-Dashboards package has
unexpected files owner and permissions.
This ensure the installed files are not owner by the
opensearch-dashboards user (preventing the program to overwrite itself
with malicious code if the service has some kind of vulnerability), and
make sure logs and data cannot be accessed by random users.
Issues Resolved
Fixes #3815