From e3bc8a5ac2638d9cf98266aa91e1bcff0a31475b Mon Sep 17 00:00:00 2001 From: Tudor Golubenco Date: Thu, 6 Apr 2017 10:52:12 +0200 Subject: [PATCH] Fix modules yml files permission on Deb (#3879) (#3893) The fix in #3645 had a bug (chmod executed on the wrong folder). This fixes the fix and also adds permissions checks to the tests. (cherry picked from commit 37ae2fcc7741a42b0d0bf01e0e921174b9672d4a) --- dev-tools/package_test.go | 50 +++++++++++++++++++++++++++++++++++---- libbeat/scripts/Makefile | 2 +- 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/dev-tools/package_test.go b/dev-tools/package_test.go index be4848fe110..c1c970582aa 100644 --- a/dev-tools/package_test.go +++ b/dev-tools/package_test.go @@ -21,13 +21,15 @@ import ( ) const ( - expectedConfigMode = os.FileMode(0600) - expectedConfigUID = 0 - expectedConfigGID = 0 + expectedConfigMode = os.FileMode(0600) + expectedManifestMode = os.FileMode(0644) + expectedConfigUID = 0 + expectedConfigGID = 0 ) var ( - configFilePattern = regexp.MustCompile(`.*beat\.yml`) + configFilePattern = regexp.MustCompile(`.*beat\.yml`) + manifestFilePattern = regexp.MustCompile(`manifest.yml`) ) var ( @@ -73,6 +75,9 @@ func checkRPM(t *testing.T, file string) { } checkConfigPermissions(t, p) + checkConfigOwner(t, p) + checkManifestPermissions(t, p) + checkManifestOwner(t, p) } func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { @@ -84,6 +89,8 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { checkConfigPermissions(t, p) checkConfigOwner(t, p) + checkManifestPermissions(t, p) + checkManifestOwner(t, p) } func checkTar(t *testing.T, file string) { @@ -95,6 +102,7 @@ func checkTar(t *testing.T, file string) { checkConfigPermissions(t, p) checkConfigOwner(t, p) + checkManifestPermissions(t, p) } func checkZip(t *testing.T, file string) { @@ -105,6 +113,7 @@ func checkZip(t *testing.T, file string) { } checkConfigPermissions(t, p) + checkManifestPermissions(t, p) } // Verify that the main configuration file is installed with a 0600 file mode. @@ -115,7 +124,7 @@ func checkConfigPermissions(t *testing.T, p *packageFile) { mode := entry.Mode.Perm() if expectedConfigMode != mode { t.Errorf("file %v has wrong permissions: expected=%v actual=%v", - entry.Mode, expectedConfigMode, mode) + entry.File, expectedConfigMode, mode) } return } @@ -141,6 +150,37 @@ func checkConfigOwner(t *testing.T, p *packageFile) { }) } +// Verify that the modules manifest.yml files are installed with a 0644 file mode. +func checkManifestPermissions(t *testing.T, p *packageFile) { + t.Run(p.Name+" manifest file permissions", func(t *testing.T) { + for _, entry := range p.Contents { + if manifestFilePattern.MatchString(entry.File) { + mode := entry.Mode.Perm() + if expectedManifestMode != mode { + t.Errorf("file %v has wrong permissions: expected=%v actual=%v", + entry.File, expectedManifestMode, mode) + } + } + } + }) +} + +// Verify that the manifest owner is root +func checkManifestOwner(t *testing.T, p *packageFile) { + t.Run(p.Name+" manifest file owner", func(t *testing.T) { + for _, entry := range p.Contents { + if manifestFilePattern.MatchString(entry.File) { + if expectedConfigUID != entry.UID { + t.Errorf("file %v should be owned by user %v, owner=%v", entry.File, expectedConfigGID, entry.UID) + } + if expectedConfigGID != entry.GID { + t.Errorf("file %v should be owned by group %v, group=%v", entry.File, expectedConfigGID, entry.GID) + } + } + } + }) +} + // Helpers type packageFile struct { diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index e6d6bdb87b9..9f333c79cda 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -353,7 +353,7 @@ install-home: if [ -d _meta/module.generated ]; then \ install -d -m 755 ${HOME_PREFIX}/module; \ rsync -av _meta/module.generated/ ${HOME_PREFIX}/module/; \ - chmod -R go-w _meta/module.generated; \ + chmod -R go-w ${HOME_PREFIX}/module/; \ fi # Prepares for packaging. Builds binaries and creates homedir data