From af3166f6564b223023ae3defe57e272bacde4c14 Mon Sep 17 00:00:00 2001
From: Tudor Golubenco <tudor@packetbeat.com>
Date: Fri, 31 Mar 2017 13:20:01 +0200
Subject: [PATCH] Fix modules yml files permission on Deb

The fix in #3645 had a bug (chmod executed on the wrong folder). This fixes the fix and also adds permissions checks to the tests.
---
 CHANGELOG.asciidoc        |  2 ++
 dev-tools/package_test.go | 50 +++++++++++++++++++++++++++++++++++----
 libbeat/scripts/Makefile  |  2 +-
 3 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 5f000c41f50..b72afa02306 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -31,6 +31,8 @@ https://github.com/elastic/beats/compare/v5.3.0...master[Check the HEAD diff]
 
 *Filebeat*
 
+- Fix modules default file permissions. {pull}3879[3879]
+
 *Heartbeat*
 
 *Metricbeat*
diff --git a/dev-tools/package_test.go b/dev-tools/package_test.go
index be4848fe110..c1c970582aa 100644
--- a/dev-tools/package_test.go
+++ b/dev-tools/package_test.go
@@ -21,13 +21,15 @@ import (
 )
 
 const (
-	expectedConfigMode = os.FileMode(0600)
-	expectedConfigUID  = 0
-	expectedConfigGID  = 0
+	expectedConfigMode   = os.FileMode(0600)
+	expectedManifestMode = os.FileMode(0644)
+	expectedConfigUID    = 0
+	expectedConfigGID    = 0
 )
 
 var (
-	configFilePattern = regexp.MustCompile(`.*beat\.yml`)
+	configFilePattern   = regexp.MustCompile(`.*beat\.yml`)
+	manifestFilePattern = regexp.MustCompile(`manifest.yml`)
 )
 
 var (
@@ -73,6 +75,9 @@ func checkRPM(t *testing.T, file string) {
 	}
 
 	checkConfigPermissions(t, p)
+	checkConfigOwner(t, p)
+	checkManifestPermissions(t, p)
+	checkManifestOwner(t, p)
 }
 
 func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
@@ -84,6 +89,8 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
 
 	checkConfigPermissions(t, p)
 	checkConfigOwner(t, p)
+	checkManifestPermissions(t, p)
+	checkManifestOwner(t, p)
 }
 
 func checkTar(t *testing.T, file string) {
@@ -95,6 +102,7 @@ func checkTar(t *testing.T, file string) {
 
 	checkConfigPermissions(t, p)
 	checkConfigOwner(t, p)
+	checkManifestPermissions(t, p)
 }
 
 func checkZip(t *testing.T, file string) {
@@ -105,6 +113,7 @@ func checkZip(t *testing.T, file string) {
 	}
 
 	checkConfigPermissions(t, p)
+	checkManifestPermissions(t, p)
 }
 
 // Verify that the main configuration file is installed with a 0600 file mode.
@@ -115,7 +124,7 @@ func checkConfigPermissions(t *testing.T, p *packageFile) {
 				mode := entry.Mode.Perm()
 				if expectedConfigMode != mode {
 					t.Errorf("file %v has wrong permissions: expected=%v actual=%v",
-						entry.Mode, expectedConfigMode, mode)
+						entry.File, expectedConfigMode, mode)
 				}
 				return
 			}
@@ -141,6 +150,37 @@ func checkConfigOwner(t *testing.T, p *packageFile) {
 	})
 }
 
+// Verify that the modules manifest.yml files are installed with a 0644 file mode.
+func checkManifestPermissions(t *testing.T, p *packageFile) {
+	t.Run(p.Name+" manifest file permissions", func(t *testing.T) {
+		for _, entry := range p.Contents {
+			if manifestFilePattern.MatchString(entry.File) {
+				mode := entry.Mode.Perm()
+				if expectedManifestMode != mode {
+					t.Errorf("file %v has wrong permissions: expected=%v actual=%v",
+						entry.File, expectedManifestMode, mode)
+				}
+			}
+		}
+	})
+}
+
+// Verify that the manifest owner is root
+func checkManifestOwner(t *testing.T, p *packageFile) {
+	t.Run(p.Name+" manifest file owner", func(t *testing.T) {
+		for _, entry := range p.Contents {
+			if manifestFilePattern.MatchString(entry.File) {
+				if expectedConfigUID != entry.UID {
+					t.Errorf("file %v should be owned by user %v, owner=%v", entry.File, expectedConfigGID, entry.UID)
+				}
+				if expectedConfigGID != entry.GID {
+					t.Errorf("file %v should be owned by group %v, group=%v", entry.File, expectedConfigGID, entry.GID)
+				}
+			}
+		}
+	})
+}
+
 // Helpers
 
 type packageFile struct {
diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile
index 89df7c3b8b3..e27c87ef75f 100755
--- a/libbeat/scripts/Makefile
+++ b/libbeat/scripts/Makefile
@@ -327,7 +327,7 @@ install-home:
 	if [ -d _meta/module.generated ]; then \
 		install -d -m 755 ${HOME_PREFIX}/module; \
 		rsync -av _meta/module.generated/ ${HOME_PREFIX}/module/; \
-		chmod -R go-w _meta/module.generated; \
+		chmod -R go-w ${HOME_PREFIX}/module/; \
 	fi
 
 # Prepares for packaging. Builds binaries and creates homedir data