logstash icon indicating copy to clipboard operation
logstash copied to clipboard

Published 20 hours ago verified publisher icon elastic

chmod BUILD_METADATA_FILE to allow global read permissions

Open bval opened this issue 7 months ago • 3 comments
trafficstars

Release notes

Allow global read permissions on BUILD_METADATA_FILE

What does this PR do?

This PR allows for global read permissions on BUILD_METADATA_FILE (build.rb). This file is created by Ruby's Tempfile.new which is hardwired to set permissions to 0600 on all temporary files.

If a logstash user builds logstash and then attempts to run for example the Docker version as another system user the run will fail as only the build user has permission to read build.rb once it is packaged as owned by that build user with perms 0600.

Why is it important/What is the impact to the user?

This PR fixes #14836 which contains a complete bug report from a user experiencing this issue. The relevant excerpt is:

root@kind:/home/radware/git/waas/waas_backend/docker-images/logstash# docker run -u nobody:nogroup -v $PWD/data.7.17.8:/usr/share/logstash/data --rm -ti  --entrypoint bash docker.elastic.co/logstash/logstash:7.17.8

nobody@45c2639679b8:/usr/share/logstash$  ls -al ./logstash-core/lib/logstash/build.rb
-rw-rw---- 1 logstash root 156 Nov 30 16:11 ./logstash-core/lib/logstash/build.rb

Checklist

  • [x] My code follows the style guidelines of this project ~~- [ ] I have commented my code, particularly in hard-to-understand areas~~ ~~- [ ] I have made corresponding changes to the documentation~~ ~~- [ ] I have made corresponding change to the default configuration files (and/or docker env variables)~~ ~~- [ ] I have added tests that prove my fix is effective or that my feature works~~

Author's Checklist

  • [ ] CI is passing and the build behaves as expected
  • [ ] In the generated release artifacts verify that the permissions of build.rb are 0644

How to test this PR locally

Build all logstash packages and successfully install one or run the Docker image

Related issues

  • Fixes #14836

Use cases

  1. Build logstash
  2. Run logstash as a Docker user other than yourself

bval avatar Apr 10 '25 17:04 bval

💚 CLA has been signed

cla-checker-service[bot] avatar Apr 10 '25 17:04 cla-checker-service[bot]

This pull request does not have a backport label. Could you fix it @bval? 🙏 To fixup this pull request, you need to add the backport labels for the needed branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • backport-8.x is the label to automatically backport to the 8.x branch.
  • If no backport is necessary, please add the backport-skip label

mergify[bot] avatar Apr 10 '25 17:04 mergify[bot]

This pull request does not have a backport label. Could you fix it @bval? 🙏 To fixup this pull request, you need to add the backport labels for the needed branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • backport-8.x is the label to automatically backport to the 8.x branch.
  • If no backport is necessary, please add the backport-skip label

To the reviewer: I do not have permission to edit labels on this PR, or I would happily set them correctly.

bval avatar Apr 10 '25 17:04 bval