From e8a3d2963f008c4473566e6979c1c63436f048bb Mon Sep 17 00:00:00 2001 From: Erik Baranowski <39704712+erikbaranowski@users.noreply.github.com> Date: Tue, 5 Mar 2024 15:44:21 -0500 Subject: [PATCH] =?UTF-8?q?On=20new=20windows=20installs,=20remove=20defau?= =?UTF-8?q?lt=20read=20permissions=20from=20agent=20c=E2=80=A6=20(#6622)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * On new windows installs, remove default read permissions from agent config Signed-off-by: erikbaranowski <39704712+erikbaranowski@users.noreply.github.com> * only apply permissions for a new install Signed-off-by: erikbaranowski <39704712+erikbaranowski@users.noreply.github.com> * Update CHANGELOG.md Co-authored-by: Robert Fratto --------- Signed-off-by: erikbaranowski <39704712+erikbaranowski@users.noreply.github.com> Co-authored-by: Robert Fratto --- CHANGELOG.md | 4 ++++ .../windows/install_script.nsis | 19 +++++++++++++++---- .../grafana-agent/windows/install_script.nsis | 18 ++++++++++++++---- 3 files changed, 33 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f9c0e92f1ae..7d8f04a2f757 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,10 @@ v0.40.2 (2024-03-05) - Set permissions on the `Grafana Agent [Flow]` folder when installing via the windows installer rather than relying on the parent folder permissions. (@erikbaranowski) +- Set restricted viewing permissions on the `agent-config.yaml` (static mode) or + `config.river` (flow mode) when installing via the Windows installer if the + configuration file does not already exist. (@erikbaranowski) + - Fix an issue where the import config node would not run after a config reload. (@wildum) - Fix an issue where Loki could reject a batch of logs when structured metadata feature is used. (@thampiotr) diff --git a/packaging/grafana-agent-flow/windows/install_script.nsis b/packaging/grafana-agent-flow/windows/install_script.nsis index a1cd586c2a91..dfb8ae95b3c7 100644 --- a/packaging/grafana-agent-flow/windows/install_script.nsis +++ b/packaging/grafana-agent-flow/windows/install_script.nsis @@ -63,7 +63,13 @@ Section "install" Pop $0 # Configure the out path and copy files to it. - SetOutPath "$INSTDIR" + IfFileExists "$INSTDIR" Exists NotExists + NotExists: + SetOutPath "$INSTDIR" + Call SetFolderPermissions + Exists: + SetOutPath "$INSTDIR" + File "..\..\..\dist.temp\grafana-agent-flow-windows-amd64.exe" File "..\..\..\dist.temp\grafana-agent-service-windows-amd64.exe" File "logo.ico" @@ -101,8 +107,6 @@ Section "install" # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure nsExec::ExecToLog `sc failure "Grafana Agent Flow" reset= 60 actions= restart/5000 reboot= "Grafana Agent Flow has failed. Restarting in 5 seconds"` Pop $0 - - Call SetFolderPermissions SectionEnd Function CreateConfig @@ -111,6 +115,14 @@ Function CreateConfig Return CreateNewConfig: File "config.river" + + # Set permissions on the config file + AccessControl::DisableFileInheritance "$INSTDIR\config.river" + AccessControl::SetFileOwner "$INSTDIR\config.river" "Administrators" + AccessControl::ClearOnFile "$INSTDIR\config.river" "Administrators" "FullAccess" + AccessControl::SetOnFile "$INSTDIR\config.river" "SYSTEM" "FullAccess" + AccessControl::GrantOnFile "$INSTDIR\config.river" "Everyone" "ListDirectory" + AccessControl::GrantOnFile "$INSTDIR\config.river" "Everyone" "ReadAttributes" Return FunctionEnd @@ -168,7 +180,6 @@ FunctionEnd Function SetFolderPermissions # Set permissions on the install directory - SetOutPath $INSTDIR AccessControl::DisableFileInheritance $INSTDIR AccessControl::SetFileOwner $INSTDIR "Administrators" AccessControl::ClearOnFile $INSTDIR "Administrators" "FullAccess" diff --git a/packaging/grafana-agent/windows/install_script.nsis b/packaging/grafana-agent/windows/install_script.nsis index 264222c2d299..f5480cc837ce 100644 --- a/packaging/grafana-agent/windows/install_script.nsis +++ b/packaging/grafana-agent/windows/install_script.nsis @@ -114,7 +114,12 @@ Function Install nsExec::ExecToLog 'sc stop "Grafana Agent"' Pop $0 # Files for the install directory - to build the installer, these should be in the same directory as the install script (this file) - setOutPath $INSTDIR + IfFileExists "$INSTDIR" Exists NotExists + NotExists: + SetOutPath "$INSTDIR" + Call SetFolderPermissions + Exists: + SetOutPath "$INSTDIR" # Files added here should be removed by the uninstaller (see section "uninstall") file "grafana-agent-windows-amd64.exe" file "logo.ico" @@ -155,8 +160,6 @@ Function Install # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure nsExec::ExecToLog `sc failure "Grafana Agent" reset= 60 actions= restart/5000 reboot= "Grafana Agent has failed. Restarting in 5 seconds"` Pop $0 - - Call SetFolderPermissions FunctionEnd Function WriteConfig @@ -188,12 +191,19 @@ Function WriteConfig FileWrite $9 ` enabled: true` ${EndIf} FileClose $9 # and close the file + + # Set permissions on the config file + AccessControl::DisableFileInheritance "$INSTDIR\agent-config.yaml" + AccessControl::SetFileOwner "$INSTDIR\agent-config.yaml" "Administrators" + AccessControl::ClearOnFile "$INSTDIR\agent-config.yaml" "Administrators" "FullAccess" + AccessControl::SetOnFile "$INSTDIR\agent-config.yaml" "SYSTEM" "FullAccess" + AccessControl::GrantOnFile "$INSTDIR\agent-config.yaml" "Everyone" "ListDirectory" + AccessControl::GrantOnFile "$INSTDIR\agent-config.yaml" "Everyone" "ReadAttributes" Return FunctionEnd Function SetFolderPermissions # Set permissions on the install directory - SetOutPath $INSTDIR AccessControl::DisableFileInheritance $INSTDIR AccessControl::SetFileOwner $INSTDIR "Administrators" AccessControl::ClearOnFile $INSTDIR "Administrators" "FullAccess"