On new windows installs, remove default read permissions from agent c… (

grafana#6622) * On new windows installs, remove default read permissions from agent config Signed-off-by: erikbaranowski <[email protected]> * only apply permissions for a new install Signed-off-by: erikbaranowski <[email protected]> * Update CHANGELOG.md Co-authored-by: Robert Fratto <[email protected]> --------- Signed-off-by: erikbaranowski <[email protected]> Co-authored-by: Robert Fratto <[email protected]>
rfratto · Mar 5, 2024 · e8a3d29 · e8a3d29
1 parent 7ac3d98
commit e8a3d29
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,10 @@ v0.40.2 (2024-03-05)
 - Set permissions on the `Grafana Agent [Flow]` folder when installing via the
   windows installer rather than relying on the parent folder permissions. (@erikbaranowski)
 
+- Set restricted viewing permissions on the `agent-config.yaml` (static mode) or
+  `config.river` (flow mode) when installing via the Windows installer if the
+  configuration file does not already exist. (@erikbaranowski)
+
 - Fix an issue where the import config node would not run after a config reload. (@wildum)
 
 - Fix an issue where Loki could reject a batch of logs when structured metadata feature is used. (@thampiotr)

diff --git a/packaging/grafana-agent-flow/windows/install_script.nsis b/packaging/grafana-agent-flow/windows/install_script.nsis
@@ -63,7 +63,13 @@ Section "install"
   Pop $0
 
   # Configure the out path and copy files to it.
-  SetOutPath "$INSTDIR"
+  IfFileExists "$INSTDIR" Exists NotExists
+  NotExists:
+    SetOutPath "$INSTDIR"
+    Call SetFolderPermissions
+  Exists:
+    SetOutPath "$INSTDIR"
+
   File "..\..\..\dist.temp\grafana-agent-flow-windows-amd64.exe"
   File "..\..\..\dist.temp\grafana-agent-service-windows-amd64.exe"
   File "logo.ico"
@@ -101,8 +107,6 @@ Section "install"
   # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
   nsExec::ExecToLog `sc failure "Grafana Agent Flow" reset= 60 actions= restart/5000 reboot= "Grafana Agent Flow has failed. Restarting in 5 seconds"`
   Pop $0
-
-  Call SetFolderPermissions
 SectionEnd
 
 Function CreateConfig
@@ -111,6 +115,14 @@ Function CreateConfig
     Return
   CreateNewConfig:
     File "config.river"
+
+    # Set permissions on the config file
+    AccessControl::DisableFileInheritance "$INSTDIR\config.river"
+    AccessControl::SetFileOwner "$INSTDIR\config.river" "Administrators"
+    AccessControl::ClearOnFile  "$INSTDIR\config.river" "Administrators" "FullAccess"
+    AccessControl::SetOnFile    "$INSTDIR\config.river" "SYSTEM" "FullAccess"
+    AccessControl::GrantOnFile  "$INSTDIR\config.river" "Everyone" "ListDirectory"
+    AccessControl::GrantOnFile  "$INSTDIR\config.river" "Everyone" "ReadAttributes"
     Return
 FunctionEnd
 
@@ -168,7 +180,6 @@ FunctionEnd
 
 Function SetFolderPermissions
     # Set permissions on the install directory
-    SetOutPath $INSTDIR
     AccessControl::DisableFileInheritance $INSTDIR
     AccessControl::SetFileOwner $INSTDIR "Administrators"
     AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"

diff --git a/packaging/grafana-agent/windows/install_script.nsis b/packaging/grafana-agent/windows/install_script.nsis
@@ -114,7 +114,12 @@ Function Install
     nsExec::ExecToLog 'sc stop "Grafana Agent"'
     Pop $0
     # Files for the install directory - to build the installer, these should be in the same directory as the install script (this file)
-    setOutPath $INSTDIR
+    IfFileExists "$INSTDIR" Exists NotExists
+    NotExists:
+        SetOutPath "$INSTDIR"
+        Call SetFolderPermissions
+    Exists:
+        SetOutPath "$INSTDIR"
     # Files added here should be removed by the uninstaller (see section "uninstall")
     file "grafana-agent-windows-amd64.exe"
     file "logo.ico"
@@ -155,8 +160,6 @@ Function Install
     # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
     nsExec::ExecToLog `sc failure "Grafana Agent" reset= 60 actions= restart/5000 reboot= "Grafana Agent has failed. Restarting in 5 seconds"`
     Pop $0
-
-    Call SetFolderPermissions
 FunctionEnd
 
 Function WriteConfig
@@ -188,12 +191,19 @@ Function WriteConfig
         FileWrite $9 `    enabled: true`
         ${EndIf}
         FileClose $9 # and close the file
+
+        # Set permissions on the config file
+        AccessControl::DisableFileInheritance "$INSTDIR\agent-config.yaml"
+        AccessControl::SetFileOwner "$INSTDIR\agent-config.yaml" "Administrators"
+        AccessControl::ClearOnFile  "$INSTDIR\agent-config.yaml" "Administrators" "FullAccess"
+        AccessControl::SetOnFile    "$INSTDIR\agent-config.yaml" "SYSTEM" "FullAccess"
+        AccessControl::GrantOnFile  "$INSTDIR\agent-config.yaml" "Everyone" "ListDirectory"
+        AccessControl::GrantOnFile  "$INSTDIR\agent-config.yaml" "Everyone" "ReadAttributes"
         Return
 FunctionEnd
 
 Function SetFolderPermissions
     # Set permissions on the install directory
-    SetOutPath $INSTDIR
     AccessControl::DisableFileInheritance $INSTDIR
     AccessControl::SetFileOwner $INSTDIR "Administrators"
     AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"