Some files have wrong UID

[nurupo]

Describe the problem

I have noticed that /etc/systemd/system/do-agent.service is owned by a user I have created before I have ever installed do-agent: 999/letsencrypt.

$ stat -c "%u" /etc/systemd/system/do-agent.service
999
$ id -u letsencrypt
999

It's supposed to be owned by 995/do-agent instead:

$ id -u do-agent
995

I have created the user 999/letsencrypt on 2018-08-17 and never deleted them. I have installed do-agent (3.9.4) for the first time on 2021-04-29. It should have no business chowning files to a non do-agent uid.

I see that there are quite a few files owned by the correct uid 995, as well as do-agent itself is running under 995 right now:

$ sudo find / -uid 995
/opt/digitalocean/do-agent/scripts/update.sh
/opt/digitalocean/bin/do-agent
/proc/551
[REDACTED: a ton of /proc entries]
/usr/share/doc/do-agent/changelog.gz
/usr/share/doc/do-agent/changelog.Debian.gz

So perhaps do-agent at some point was fixed to use the correct uid?

Some files/directories are still owned by the wrong user though:

$ sudo find / -uid 999
/etc/systemd/system/do-agent.service
/opt/digitalocean
/opt/digitalocean/do-agent
/opt/digitalocean/do-agent/scripts
/opt/digitalocean/bin
/usr/share/doc/do-agent
[REDACTED: letsencrypt's files]

Steps to reproduce

Observe how some files and directories that should be owned by do-agent users are owned by someone else.

$ id -u do-agent
995
$ stat -c "%u" /etc/systemd/system/do-agent.service
999
$ stat -c "%u" /opt/digitalocean
999

Expected behavior

Files belonging to do-agent are owned by the do-agent user, instead of some other user.

System Information

Distribution and version: Debian 10

do-agent information:

Paste the entire output

/opt/digitalocean/bin/do-agent --version:

do-agent (DigitalOcean Agent)

Version:     3.12.0
Revision:    aa3365e
Build Date:  Mon Nov  8 21:00:45 UTC 2021
Go Version:  go1.17.3
Website:     https://github.com/digitalocean/do-agent

Copyright (c) 2021 DigitalOcean, Inc. All rights reserved.

This work is licensed under the terms of the Apache 2.0 license.
For a copy, see <https://www.apache.org/licenses/LICENSE-2.0.html>.

Ubuntu, Debian

apt-cache policy do-agent:

do-agent:
  Installed: 3.12.0
  Candidate: 3.12.0
  Version table:
 *** 3.12.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
        100 /var/lib/dpkg/status
     3.11.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.10.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.9.4 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.9.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.8.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.7.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.6.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.5.6 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.5.5 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.5.4 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.5.2 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.5.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.3.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.2.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     3.0.5 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.2.4 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.2.3 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.2.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.2.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.1.3 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.0.2 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.0.1 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     2.0.0 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages
     1.1.3 500
        500 https://repos.insights.digitalocean.com/apt/do-agent main/main amd64 Packages

[bsnyder788]

@nurupo I wasn't able to reproduce this myself with the latest agent. (or on droplets that have been through mostly 2.x and 3.x versions over the past 2 years). You might be right that it was due to a much older release having an issue.

[nurupo]

I have this issue on all 5 of my droplets. It's as if do-agent was hardcoded to use UID/GID 999 when installing files at some point, despite there existing some other user under that UID/GID already. On a more recent Debian Droplet, from around July 2020, there is systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin user, and the files are owned by it instead.

Anyway, please don't hardcode UIDs/GIDs in the future.

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed if no further activity occurs.

[bsnyder788]

still valid

[prichrd]

Hey @nurupo,

Thank you for raising the issue. It is possible that this was caused by the recreation of users on agent installs/updates. We removed that logic: 42f0916 . It was the only odd user manipulation we were doing that could explain the issue.

I will close the issue; please let us know if you think this is a mistake or needs more investigation.