ERROR: At wpopenv(): file has write permissions on EFS deployment

[TheMatrix97]

Hi! We're facing the following error with a kubernetes deployment on EKS using EFS as volumes

wazuh-integratord[9069] integrator.c:394 at OS_IntegratorD(): DEBUG: Running: integrations /tmp/virustotal-<code>.alert <key> debug
wazuh-integratord[9069] exec_op.c:227 at wpopenv(): ERROR: At wpopenv(): file 'integrations/virustotal' has write permissions.
wazuh-integratord[9069] integrator.c:410 at OS_IntegratorD(): ERROR: Couldn't execute command (integrations /tmp/virustotal-<code>.alert <key> debug). Check file and permissions.

The error seems pretty clear, the executable virus_total has write permissions, and it doesn't seem to be allowed (¿¿¿¿why????) So, simple, we can just remove manually all the write permissions as a test

$ chmod 550 /var/ossec/integrations/*

But, that doesn't work, same error, same behaviour. We also tried to install wazuh locally in a VM, just to verify it wasn't a version-related problem. That worked perfectly, so it seems to be something related with our deployment in K8s. At this point we started to suspect it could be related with the EFS volumes, implemented with the NFS filesystem.

After doing some research, we found out the integratord is calling the function wpopenv() which in fact, runs the following code:

https://github.com/wazuh/wazuh/blob/dacf07da9930c4445ea55b1e5cdf6c7baea9a8d6/src/shared/exec_op.c#L226-L229

In fact it end up running the function access(path, W_OK), which according to the documentation it is known to bring problems with NFS / FUSE filesystems.

Is there any alternative function to use?. If not, it seems we found out a limitation when using EFS, and maybe we could provide some clarification in the docs, just to alert users wondering to use EFS or any NFS/FUSE filesystem instead of EBS.