From 93a26b747a503eb825d284be7c0097d3afe3e054 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 09:10:45 +0000 Subject: [PATCH 01/15] Initial plan From da74d8a36d9bd85b4d6ef70f2e938b84ddafdf1d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 09:17:24 +0000 Subject: [PATCH 02/15] Fix documentation for unprivileged mode with pre-existing user and group - Add note explaining --password is only required on Windows - Add tabs to display separate examples for Windows vs Linux/macOS - Correct Linux/macOS examples to use --user/--group without --password - Add sudo prefix to Linux/macOS commands - Use .exe extension for Windows examples Fixes elastic/docs-content#5298 Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 82 +++++++++++++++++-- 1 file changed, 75 insertions(+), 7 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index bc275a6a88..cc0414674c 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -188,24 +188,92 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. -To install {{agent}} in `unprivileged` mode as a specific user, add the `--user` and `--password` parameters to the install command: +::::{note} +The `--password` parameter is only required on Windows. On Linux and macOS, specifying the `--user` and/or `--group` parameters is sufficient. +:::: + +To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: + +:::::{tab-set} + +::::{tab-item} Linux/macOS + +To install as a specific user: ```shell -elastic-agent install --unprivileged --user="my.path\username" --password="mypassword" +sudo elastic-agent install --unprivileged --user="username" ``` -To install {{agent}} in `unprivileged` mode as part of a specific group, add the `--group` and `--password` parameters to the install command: +To install as part of a specific group: ```shell -elastic-agent install --unprivileged --group="my.path\groupname" --password="mypassword" +sudo elastic-agent install --unprivileged --group="groupname" ``` -Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group. For example: +To install as a specific user and group: + +```shell +sudo elastic-agent install --unprivileged --user="username" --group="groupname" +``` + +:::: + +::::{tab-item} Windows + +On Windows, the `--password` parameter is required when specifying a custom user account. + +To install as a specific user: ```shell -elastic-agent unprivileged --user="my.path\username" --password="mypassword" +elastic-agent.exe install --unprivileged --user="my.domain\username" --password="mypassword" ``` +To install as part of a specific group: + ```shell -elastic-agent unprivileged --group="my.path\groupname" --password="mypassword" +elastic-agent.exe install --unprivileged --group="my.domain\groupname" ``` + +:::: + +::::: + +Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group. + +:::::{tab-set} + +::::{tab-item} Linux/macOS + +To change to a specific user: + +```shell +sudo elastic-agent unprivileged --user="username" +``` + +To change to a specific group: + +```shell +sudo elastic-agent unprivileged --group="groupname" +``` + +:::: + +::::{tab-item} Windows + +On Windows, the `--password` parameter is required when specifying a custom user account. + +To change to a specific user: + +```shell +elastic-agent.exe unprivileged --user="my.domain\username" --password="mypassword" +``` + +To change to a specific group: + +```shell +elastic-agent.exe unprivileged --group="my.domain\groupname" +``` + +:::: + +::::: From f35413c01becb0de4ef730472da04c5dd009d289 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 09:33:01 +0000 Subject: [PATCH 03/15] Clarify that --user/--group are optional on Linux/macOS - Update note to explain --user and --group are optional on Linux/macOS - Clarify that if --user is omitted, default elastic-agent-user is used - Clarify that if only --group is specified, agent runs under default user - Update example text in both install and unprivileged command tabs Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index cc0414674c..797c473fc2 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -189,7 +189,10 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. ::::{note} -The `--password` parameter is only required on Windows. On Linux and macOS, specifying the `--user` and/or `--group` parameters is sufficient. +The `--password` parameter is only required on Windows. On Linux and macOS, the `--user` and `--group` parameters are optional: + +* If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). +* If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. :::: To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: @@ -198,19 +201,19 @@ To install {{agent}} in `unprivileged` mode as a specific user or group, use the ::::{tab-item} Linux/macOS -To install as a specific user: +To install with a specific user (optional—if omitted, the default `elastic-agent-user` is used): ```shell sudo elastic-agent install --unprivileged --user="username" ``` -To install as part of a specific group: +To install with a specific group (the agent runs under its default user with the specified group): ```shell sudo elastic-agent install --unprivileged --group="groupname" ``` -To install as a specific user and group: +To install with both a specific user and group: ```shell sudo elastic-agent install --unprivileged --user="username" --group="groupname" @@ -244,13 +247,13 @@ Alternatively, if you have {{agent}} already installed with administrative privi ::::{tab-item} Linux/macOS -To change to a specific user: +To change to a specific user (optional—if omitted, the default `elastic-agent-user` is used): ```shell sudo elastic-agent unprivileged --user="username" ``` -To change to a specific group: +To change to a specific group (the agent runs under its default user with the specified group): ```shell sudo elastic-agent unprivileged --group="groupname" From 9cdf6d94df370239c26328dcdca6fed4aefd502f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 10:22:39 +0000 Subject: [PATCH 04/15] Add synchronized tabs and fix remaining examples - Add tabs to `elastic-agent unprivileged` and `elastic-agent privileged` commands - Add `:group: os` and `:sync:` options to synchronize tabs across page - Remove `.exe` extension from Windows examples - Remove extra clarifying text from example descriptions - Add Windows example for user+group installation Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 71 +++++++++++++++---- 1 file changed, 59 insertions(+), 12 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 797c473fc2..4608239ff9 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -153,18 +153,56 @@ For any installed {{agent}} you can change the mode that it’s running in by ru Change mode from privileged to unprivileged: +:::::{tab-set} +:group: os + +::::{tab-item} Linux/macOS +:sync: linux + ```shell sudo elastic-agent unprivileged ``` +:::: + +::::{tab-item} Windows +:sync: windows + +```shell +elastic-agent unprivileged +``` + +:::: + +::::: + Changing to `unprivileged` mode is prevented if the agent is currently enrolled in a policy that includes an integration that requires administrative access, such as the {{elastic-defend}} integration. Change mode from unprivileged to privileged: +:::::{tab-set} +:group: os + +::::{tab-item} Linux/macOS +:sync: linux + ```shell sudo elastic-agent privileged ``` +:::: + +::::{tab-item} Windows +:sync: windows + +```shell +elastic-agent privileged +``` + +:::: + +::::: + When an agent is running in `unprivileged` mode, if it doesn’t have the right level of privilege to read a data source, you can also adjust the agent’s privileges by adding `elastic-agent-user` to the user group that has privileges to read the data source. As background, when you run {{agent}} in `unprivileged` mode, one user and one group are created on the host. The same names are used for all operating systems: @@ -189,25 +227,24 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. ::::{note} -The `--password` parameter is only required on Windows. On Linux and macOS, the `--user` and `--group` parameters are optional: - -* If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). -* If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. +The `--password` parameter is only required on Windows. On Linux and macOS, the `--user` and `--group` parameters are optional. If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. :::: To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: :::::{tab-set} +:group: os ::::{tab-item} Linux/macOS +:sync: linux -To install with a specific user (optional—if omitted, the default `elastic-agent-user` is used): +To install with a specific user: ```shell sudo elastic-agent install --unprivileged --user="username" ``` -To install with a specific group (the agent runs under its default user with the specified group): +To install with a specific group: ```shell sudo elastic-agent install --unprivileged --group="groupname" @@ -222,19 +259,26 @@ sudo elastic-agent install --unprivileged --user="username" --group="groupname" :::: ::::{tab-item} Windows +:sync: windows On Windows, the `--password` parameter is required when specifying a custom user account. To install as a specific user: ```shell -elastic-agent.exe install --unprivileged --user="my.domain\username" --password="mypassword" +elastic-agent install --unprivileged --user="my.domain\username" --password="mypassword" ``` To install as part of a specific group: ```shell -elastic-agent.exe install --unprivileged --group="my.domain\groupname" +elastic-agent install --unprivileged --group="my.domain\groupname" +``` + +To install with both a specific user and group: + +```shell +elastic-agent install --unprivileged --user="my.domain\username" --group="my.domain\groupname" --password="mypassword" ``` :::: @@ -244,16 +288,18 @@ elastic-agent.exe install --unprivileged --group="my.domain\groupname" Alternatively, if you have {{agent}} already installed with administrative privileges, you can change the agent to use `unprivileged` mode and to run as a specific user or in a specific group. :::::{tab-set} +:group: os ::::{tab-item} Linux/macOS +:sync: linux -To change to a specific user (optional—if omitted, the default `elastic-agent-user` is used): +To change to a specific user: ```shell sudo elastic-agent unprivileged --user="username" ``` -To change to a specific group (the agent runs under its default user with the specified group): +To change to a specific group: ```shell sudo elastic-agent unprivileged --group="groupname" @@ -262,19 +308,20 @@ sudo elastic-agent unprivileged --group="groupname" :::: ::::{tab-item} Windows +:sync: windows On Windows, the `--password` parameter is required when specifying a custom user account. To change to a specific user: ```shell -elastic-agent.exe unprivileged --user="my.domain\username" --password="mypassword" +elastic-agent unprivileged --user="my.domain\username" --password="mypassword" ``` To change to a specific group: ```shell -elastic-agent.exe unprivileged --group="my.domain\groupname" +elastic-agent unprivileged --group="my.domain\groupname" ``` :::: From 534d8e7388333eeb224d41ba66fb427de67f6725 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 10:41:35 +0000 Subject: [PATCH 05/15] Add tabs to initial install example in unprivileged mode section - Add synchronized tabs for Linux/macOS and Windows install commands - Add sudo prefix to Linux/macOS example (required for service installation) - Use PowerShell backtick line continuation for Windows example Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 4608239ff9..ff3f8cbb7b 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -28,13 +28,35 @@ Refer to [Agent and dashboard behaviors in unprivileged mode](#unprivileged-comm To run {{agent}} without administrative privileges you use exactly the same commands that you use for {{agent}} otherwise, with one exception. When you run the [`elastic-agent install`](/reference/fleet/agent-command-reference.md#elastic-agent-install-command) command, add the `--unprivileged` flag. For example: +:::::{tab-set} +:group: os + +::::{tab-item} Linux/macOS +:sync: linux + ```shell -elastic-agent install \ +sudo elastic-agent install \ --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \ --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \ --unprivileged ``` +:::: + +::::{tab-item} Windows +:sync: windows + +```shell +elastic-agent install ` + --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 ` + --enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== ` + --unprivileged +``` + +:::: + +::::: + ::::{important} Note the following current restrictions for running {{agent}} in `unprivileged` mode: From cf0133d420ad086fe02bf98bbe3a070d7d508219 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 10:50:46 +0000 Subject: [PATCH 06/15] Specify PowerShell before Windows install example Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index ff3f8cbb7b..6730ec9787 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -46,6 +46,8 @@ sudo elastic-agent install \ ::::{tab-item} Windows :sync: windows +From PowerShell: + ```shell elastic-agent install ` --url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 ` From 8efec3b6521ef17e118f5ff0436432b37a1aecd4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:09:27 +0000 Subject: [PATCH 07/15] Format note block with bullet points for better readability Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 6730ec9787..3ae4313d31 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -251,7 +251,11 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. ::::{note} -The `--password` parameter is only required on Windows. On Linux and macOS, the `--user` and `--group` parameters are optional. If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. +The `--password` parameter is only required on Windows. + +On Linux and macOS, the `--user` and `--group` parameters are optional: +* If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). +* If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. :::: To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: From f1f0c9ef6da82db3c96e7899f6bd17efc6f76762 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:21:02 +0000 Subject: [PATCH 08/15] Fix documentation for unprivileged mode with pre-existing user and group Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 3ae4313d31..19f42ebbc8 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -251,7 +251,7 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. ::::{note} -The `--password` parameter is only required on Windows. +On Windows, the `--password parameter` is required when specifying a custom user account. On Linux and macOS, the `--user` and `--group` parameters are optional: * If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). @@ -289,8 +289,6 @@ sudo elastic-agent install --unprivileged --user="username" --group="groupname" ::::{tab-item} Windows :sync: windows -On Windows, the `--password` parameter is required when specifying a custom user account. - To install as a specific user: ```shell @@ -306,7 +304,7 @@ elastic-agent install --unprivileged --group="my.domain\groupname" To install with both a specific user and group: ```shell -elastic-agent install --unprivileged --user="my.domain\username" --group="my.domain\groupname" --password="mypassword" +elastic-agent install --unprivileged --user="my.domain\username" --password="mypassword" --group="my.domain\groupname" ``` :::: @@ -338,8 +336,6 @@ sudo elastic-agent unprivileged --group="groupname" ::::{tab-item} Windows :sync: windows -On Windows, the `--password` parameter is required when specifying a custom user account. - To change to a specific user: ```shell From cfee58dfa130510cbb8d4ea19b1894751bc05aee Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:23:39 +0000 Subject: [PATCH 09/15] Fix note formatting: proper backtick around --password parameter Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 19f42ebbc8..b2512e5fd0 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -251,7 +251,7 @@ This functionality is in technical preview and may be changed or removed in a fu In certain cases you may want to install {{agent}} in `unprivileged` mode, with the agent running as a pre-existing user or as part of a pre-existing group. For example, on a Windows system you may have a service account in Active Directory and you’d like {{agent}} to run under that account. ::::{note} -On Windows, the `--password parameter` is required when specifying a custom user account. +On Windows, the `--password` parameter is required when specifying a custom user account. On Linux and macOS, the `--user` and `--group` parameters are optional: * If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). From 12417189aecd0cce650abdb858b19aea18865e36 Mon Sep 17 00:00:00 2001 From: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> Date: Fri, 28 Nov 2025 14:45:41 +0100 Subject: [PATCH 10/15] Update reference/fleet/elastic-agent-unprivileged.md --- reference/fleet/elastic-agent-unprivileged.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index b2512e5fd0..fffa4a359e 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -255,7 +255,7 @@ On Windows, the `--password` parameter is required when specifying a custom user On Linux and macOS, the `--user` and `--group` parameters are optional: * If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). -* If you specify only `--group`, the agent runs unprivileged under its default user but with the requested group. +* If you specify only `--group`, the agent runs unprivileged with the requested group using the default user. :::: To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: From f9da888a5e16a1945a396829f98ed274b03f2f38 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 28 Nov 2025 13:47:34 +0000 Subject: [PATCH 11/15] Remove nested bullet points, format as paragraphs under list items - Changed lines 67 and 73 from nested bullet points (*) to regular paragraphs indented under their respective list items Co-authored-by: vishaangelova <91186315+vishaangelova@users.noreply.github.com> --- reference/fleet/elastic-agent-unprivileged.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index fffa4a359e..2b90ae4fe4 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -64,17 +64,17 @@ Note the following current restrictions for running {{agent}} in `unprivileged` * On Linux systems, after {{agent}} has been installed with the `--unprivileged` flag, all {{agent}} commands can be run without being the root user. - * The `sudo` option is still required for the `elastic-agent install` command. Only `root` can install new services. The installed service will not run as the root user. + The `sudo` option is still required for the `elastic-agent install` command. Only `root` can install new services. The installed service will not run as the root user. * Using `sudo` without specifying an alternate non-root user with `sudo -u` in a command may result in [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) due to the agent not having the required privileges. * Using `sudo -u elastic-agent-user` will run commands as the user running the {{agent}} service and will always work. * For files that allow users in the `elastic-agent` group access, using an alternate user that has been added to that group will also work. There are still some commands that are only accessible to the `elastic-agent-user` that runs the service. - * For example, `elastic-agent inspect` requires you to prefix the command with `sudo -u elastic-agent-user`. + For example, `elastic-agent inspect` requires you to prefix the command with `sudo -u elastic-agent-user`. - ```shell - sudo -u elastic-agent-user elastic-agent inspect - ``` + ```shell + sudo -u elastic-agent-user elastic-agent inspect + ``` :::: From 072e1f49a2e4d9c6f4004152933111f532533a7a Mon Sep 17 00:00:00 2001 From: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> Date: Fri, 28 Nov 2025 20:30:35 +0100 Subject: [PATCH 12/15] Update reference/fleet/elastic-agent-unprivileged.md --- reference/fleet/elastic-agent-unprivileged.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 2b90ae4fe4..6b3fac8e99 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -255,7 +255,7 @@ On Windows, the `--password` parameter is required when specifying a custom user On Linux and macOS, the `--user` and `--group` parameters are optional: * If you omit `--user`, {{agent}} uses (or creates) the default unprivileged user (`elastic-agent-user`). -* If you specify only `--group`, the agent runs unprivileged with the requested group using the default user. +* If you specify only `--group`, the agent runs unprivileged in the requested group using the default user. :::: To install {{agent}} in `unprivileged` mode as a specific user or group, use the following commands: From a7ec55f9094ae95c420152a33e5bf1d7df9c2326 Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Mon, 1 Dec 2025 14:14:32 +0100 Subject: [PATCH 13/15] Move content from a note to a separate heading and rephrase it --- reference/fleet/elastic-agent-unprivileged.md | 25 ++++++------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 6b3fac8e99..555c962c20 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -59,26 +59,17 @@ elastic-agent install ` ::::: -::::{important} -Note the following current restrictions for running {{agent}} in `unprivileged` mode: +## Limitations -* On Linux systems, after {{agent}} has been installed with the `--unprivileged` flag, all {{agent}} commands can be run without being the root user. +Note the following limitations for running {{agent}} in `unprivileged` mode: - The `sudo` option is still required for the `elastic-agent install` command. Only `root` can install new services. The installed service will not run as the root user. - -* Using `sudo` without specifying an alternate non-root user with `sudo -u` in a command may result in [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) due to the agent not having the required privileges. -* Using `sudo -u elastic-agent-user` will run commands as the user running the {{agent}} service and will always work. -* For files that allow users in the `elastic-agent` group access, using an alternate user that has been added to that group will also work. There are still some commands that are only accessible to the `elastic-agent-user` that runs the service. - - For example, `elastic-agent inspect` requires you to prefix the command with `sudo -u elastic-agent-user`. - - ```shell - sudo -u elastic-agent-user elastic-agent inspect - ``` - - -:::: +* On Linux systems, you must use `sudo` to run the `elastic-agent install` command because only the root user can install new services. However, if you install {{agent}} with the `--unprivileged` flag, the service does not run as root, and you can run all {{agent}} commands without being the root user. +* When running {{agent}} in `unprivileged` mode, using `sudo` with {{agent}} commands can cause [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) because the agent does not have the required privileges. To avoid this, run commands as the user that runs the {{agent}} service by using `sudo -u elastic-agent-user`. +* For files that grant access to users in the `elastic-agent` group, you can also run commands as any user that belongs to that group. However, some commands are only available to the `elastic-agent-user` that runs the service. For example, `elastic-agent inspect` must be run as that user: + ```shell + sudo -u elastic-agent-user elastic-agent inspect + ``` ## Agent and dashboard behaviors in unprivileged mode [unprivileged-command-behaviors] From 3b4ae47c70d7d789cb912689ed42a9cbb1f38c1c Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Mon, 1 Dec 2025 18:13:34 +0100 Subject: [PATCH 14/15] Rename section; add smaller fixes --- reference/fleet/elastic-agent-unprivileged.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 555c962c20..4fd8d9dae2 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -59,13 +59,13 @@ elastic-agent install ` ::::: -## Limitations +### Considerations for running {{agent}} in `unprivileged` mode -Note the following limitations for running {{agent}} in `unprivileged` mode: +When running {{agent}} in `unprivileged` mode on Linux systems, consider the following: -* On Linux systems, you must use `sudo` to run the `elastic-agent install` command because only the root user can install new services. However, if you install {{agent}} with the `--unprivileged` flag, the service does not run as root, and you can run all {{agent}} commands without being the root user. -* When running {{agent}} in `unprivileged` mode, using `sudo` with {{agent}} commands can cause [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) because the agent does not have the required privileges. To avoid this, run commands as the user that runs the {{agent}} service by using `sudo -u elastic-agent-user`. -* For files that grant access to users in the `elastic-agent` group, you can also run commands as any user that belongs to that group. However, some commands are only available to the `elastic-agent-user` that runs the service. For example, `elastic-agent inspect` must be run as that user: +* You must use `sudo` to run the `elastic-agent install` command because only the root user can install new services. After {{agent}} is installed with the `--unprivileged` flag, the service does not run as root, and you can run {{agent}} commands without being the root user. +* When the {{agent}} is in `unprivileged` mode, using `sudo` with {{agent}} commands can cause [an error](/troubleshoot/ingest/fleet/common-problems.md#agent-sudo-error) because the agent does not have the required privileges. To avoid this, run commands as the user that runs the {{agent}} service by using `sudo -u elastic-agent-user`. +* For files that grant access to users in the `elastic-agent` group, you can also run commands as any user that belongs to that group. However, some commands are only available to the user that runs the service (`elastic-agent-user`). For example, `elastic-agent inspect` must be run as that user: ```shell sudo -u elastic-agent-user elastic-agent inspect From 3238a5caf3cc1784b925cabfcd20a64fd47ce182 Mon Sep 17 00:00:00 2001 From: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> Date: Tue, 2 Dec 2025 08:32:25 +0100 Subject: [PATCH 15/15] Update reference/fleet/elastic-agent-unprivileged.md --- reference/fleet/elastic-agent-unprivileged.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/elastic-agent-unprivileged.md b/reference/fleet/elastic-agent-unprivileged.md index 4fd8d9dae2..171b488299 100644 --- a/reference/fleet/elastic-agent-unprivileged.md +++ b/reference/fleet/elastic-agent-unprivileged.md @@ -59,7 +59,7 @@ elastic-agent install ` ::::: -### Considerations for running {{agent}} in `unprivileged` mode +### Considerations When running {{agent}} in `unprivileged` mode on Linux systems, consider the following: