Fix permissions at systemd unit file (elastic#7873) (elastic#8189)

Systemd unit has wrong permissions. So systemd logs: `Configuration file /lib/systemd/system/auditbeat.service is marked executable. Please remove executable permission bits. Proceeding anyway` (cherry picked from commit 9dba758)
leweafan · Sep 4, 2018 · 27cf773 · 27cf773
1 parent b73319c
commit 27cf773
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -41,6 +41,7 @@ https://github.com/elastic/beats/compare/v6.4.0...6.4[Check the HEAD diff]
 - Deregister pipeline loader callback when inputsRunner is stopped. {pull}7893[7893]
 - Replace index patterns in TSVB visualizations. {pull}7929[7929]
 - Add backoff support to x-pack monitoring outputs. {issue}7966[7966]
+- Removed execute permissions systemd unit file. {pull}7873[7873]
 
 *Auditbeat*
 

diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
@@ -48,11 +48,12 @@ const (
 )
 
 var (
-	configFilePattern   = regexp.MustCompile(`.*beat\.yml|apm-server\.yml`)
-	manifestFilePattern = regexp.MustCompile(`manifest.yml`)
-	modulesDirPattern   = regexp.MustCompile(`module/.+`)
-	modulesDDirPattern  = regexp.MustCompile(`modules.d/$`)
-	modulesDFilePattern = regexp.MustCompile(`modules.d/.+`)
+	configFilePattern      = regexp.MustCompile(`.*beat\.yml|apm-server\.yml`)
+	manifestFilePattern    = regexp.MustCompile(`manifest.yml`)
+	modulesDirPattern      = regexp.MustCompile(`module/.+`)
+	modulesDDirPattern     = regexp.MustCompile(`modules.d/$`)
+	modulesDFilePattern    = regexp.MustCompile(`modules.d/.+`)
+	systemdUnitFilePattern = regexp.MustCompile(`/lib/systemd/system/.*\.service`)
 )
 
 var (
@@ -107,6 +108,7 @@ func checkRPM(t *testing.T, file string) {
 	checkModulesPresent(t, "/usr/share", p)
 	checkModulesDPresent(t, "/etc/", p)
 	checkModulesOwner(t, p)
+	checkSystemdUnitPermissions(t, p)
 }
 
 func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
@@ -124,6 +126,7 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
 	checkModulesDPresent(t, "./etc/", p)
 	checkModulesPermissions(t, p)
 	checkModulesOwner(t, p)
+	checkSystemdUnitPermissions(t, p)
 }
 
 func checkTar(t *testing.T, file string) {
@@ -289,6 +292,25 @@ func checkModules(t *testing.T, name, prefix string, r *regexp.Regexp, p *packag
 	})
 }
 
+// Verify that the systemd unit file has a mode of 0644. It should not be
+// executable.
+func checkSystemdUnitPermissions(t *testing.T, p *packageFile) {
+	const expectedMode = os.FileMode(0644)
+	t.Run(p.Name+" systemd unit file permissions", func(t *testing.T) {
+		for _, entry := range p.Contents {
+			if systemdUnitFilePattern.MatchString(entry.File) {
+				mode := entry.Mode.Perm()
+				if expectedMode != mode {
+					t.Errorf("file %v has wrong permissions: expected=%v actual=%v",
+						entry.File, expectedMode, mode)
+				}
+				return
+			}
+		}
+		t.Errorf("no systemd unit file found matching %v", configFilePattern)
+	})
+}
+
 // Helpers
 
 type packageFile struct {

diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
@@ -58,7 +58,7 @@ shared:
         mode: 0755
       /lib/systemd/system/{{.BeatServiceName}}.service:
         template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/systemd.unit.tmpl'
-        mode: 0755
+        mode: 0644
       /etc/init.d/{{.BeatServiceName}}:
         template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/{{.PackageType}}/init.sh.tmpl'
         mode: 0755