Move umask from code to service files (#29708)

Before this the `umask` value was hard-coded in `libbeat`. It caused
some confusion among the users since file permission configuration was
practically ignored by a beat on the level of the binary. It's been
decided that we move `umask` to the service files, so the distribution
is secured by default but it still allows the users to set the value
if they choose to.

CHANGELOG.next.asciidoc

@@ -150,6 +150,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `default_region` config to AWS common module. {pull}29415[29415]
 - Add support for latest k8s versions v1.23 and v1.22 {pull}29575[29575]
 - Only connect to Elasticsearch instances with the same version or newer. {pull}29683[29683]
+- Move umask from code to service files. {pull}29708[29708]
 
 *Auditbeat*
 
@@ -214,9 +215,3 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 ==== Known Issue
 
 *Journalbeat*
-
-
-
-
-
-

dev-tools/packaging/templates/darwin/launchd-daemon.plist.tmpl

@@ -22,5 +22,9 @@
     </array>
     <key>RunAtLoad</key>
     <true/>
+    <key>Umask</key>
+    <integer>
+        0027
+    </integer>
 </dict>
 </plist>

dev-tools/packaging/templates/linux/beatname.sh.tmpl

@@ -2,7 +2,7 @@
 
 # Script to run {{.BeatName | title}} in foreground with the same path settings that
 # the init script / systemd unit file would do.
-
+umask 0027
 exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \
   --path.home /usr/share/{{.BeatName}} \
   --path.config /etc/{{.BeatName}} \

dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl

@@ -2,7 +2,7 @@
 
 # Script to run {{.BeatName | title}} in foreground with the same path settings that
 # the init script / systemd unit file would do.
-
+umask 0027
 exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \
   --path.home /var/lib/{{.BeatName}} \
   --path.config /etc/{{.BeatName}} \

dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl

@@ -9,6 +9,7 @@ After=network-online.target
 User={{ .BeatUser }}
 Group={{ .BeatUser }}
 {{- end }}
+UMask=0027
 Environment="GODEBUG='madvdontneed=1'"
 Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml"
 ExecStart=/usr/bin/{{.BeatName}} run --environment systemd $BEAT_CONFIG_OPTS

dev-tools/packaging/templates/linux/systemd.unit.tmpl

@@ -9,6 +9,7 @@ After=network-online.target
 User={{ .BeatUser }}
 Group={{ .BeatUser }}
 {{- end }}
+UMask=0027
 Environment="GODEBUG='madvdontneed=1'"
 Environment="BEAT_LOG_OPTS="
 Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml"

filebeat/docs/filebeat-general-options.asciidoc

@@ -40,9 +40,6 @@ That means in case there are some states where the TTL expired, these are only r
 
 The permissions mask to apply on registry data file. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.
 
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to an umask of 0027.
-
 This option is not supported on Windows.
 
 Examples:

libbeat/cmd/instance/beat.go

@@ -157,10 +157,6 @@ func initRand() {
 // instance.
 // XXX Move this as a *Beat method?
 func Run(settings Settings, bt beat.Creator) error {
-	err := setUmaskWithSettings(settings)
-	if err != nil && err != errNotImplemented {
-		return errw.Wrap(err, "could not set umask")
-	}
 
 	return handleError(func() error {
 		defer func() {
@@ -1174,10 +1170,3 @@ func initPaths(cfg *common.Config) error {
 	}
 	return nil
 }
-
-func setUmaskWithSettings(settings Settings) error {
-	if settings.Umask != nil {
-		return setUmask(*settings.Umask)
-	}
-	return setUmask(0027) // 0640 for files | 0750 for dirs
-}

libbeat/cmd/instance/settings.go

@@ -46,8 +46,6 @@ type Settings struct {
 
 	Processing processing.SupportFactory
 
-	Umask *int
-
 	// InputQueueSize is the size for the internal publisher queue in the
 	// publisher pipeline. This is only useful when the Beat plans to use
 	// beat.DropIfFull PublishMode. Leave as zero for default.

libbeat/docs/loggingconfig.asciidoc

@@ -231,9 +231,6 @@ The permissions mask to apply when rotating log files. The default value is
 expressed in octal notation. In Go, numbers in octal notation must start with
 '0'.
 
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to an umask of 0027.
-
 This option is not supported on Windows.
 
 Examples:

libbeat/docs/shared-brew-run.asciidoc

@@ -8,6 +8,8 @@ run:
 brew services start elastic/tap/{beatname_lc}-full
 -----
 
+The launchd service is configured with `Umask=0027` which means the most permissive mask allowed for files created by {beatname_uc} is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the service file manually in case you need to change that.
+
 ifndef::requires-sudo[]
 To run {beatname_uc} in the foreground instead of running it as a background
 service, run:

libbeat/docs/shared-systemd.asciidoc

@@ -5,6 +5,8 @@ The DEB and RPM packages include a service unit for Linux systems with
 systemd. On these systems, you can manage {beatname_uc} by using the usual
 systemd commands.
 
+The service unit is configured with `UMask=0027` which means the most permissive mask allowed for files created by {beatname_uc} is `0640`. All configured file permissions higher than `0640` will be ignored. Please edit the unit file manually in case you need to change that.
+
 ifdef::apm-server[]
 We recommend that the {beatname_pkg} process is run as a non-root user.
 Therefore, that is the default setup for {beatname_uc}'s DEB package and RPM installation.