[Heartbeat] Setuid has perms issues with user controlled config files #28572
Assignees
Labels
backport-v7.16.0
Automated backport with mergify
bug
Team:obs-ds-hosted-services
Label for the Observability Hosted Services team
v7.16.0
Comments
botelastic
bot
added
the
needs_team
andrewvc
added
the
Team:obs-ds-hosted-services
|
Pinging @elastic/uptime (Team:Uptime) |
botelastic
bot
removed
the
needs_team
9 tasks
andrewvc
changed the title
andrewvc
added a commit
to andrewvc/beats
that referenced
this issue
Oct 20, 2021
Fixes elastic#28572 by only invoking setuid in the elastic-agent container, and no longer in the heartbeat container. See the linked issue for details.
5 tasks
andrewvc
added a commit
that referenced
this issue
Oct 21, 2021
Fixes #28572 by only invoking setuid in the elastic-agent container, and no longer in the heartbeat container. See the linked issue for details.
andrewvc
added a commit
that referenced
this issue
Oct 22, 2021
Fixes #28572 by only invoking setuid in the elastic-agent container, and no longer in the heartbeat container. See the linked issue for details. (cherry picked from commit da2bc89) Co-authored-by: Andrew Cholakian <[email protected]>
Icedroid
pushed a commit
to Icedroid/beats
that referenced
this issue
Nov 1, 2021
Fixes elastic#28572 by only invoking setuid in the elastic-agent container, and no longer in the heartbeat container. See the linked issue for details.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #28514 we added support for setuid-ing to a regular user from root. This wasn't thought of as a breaking change, because it generally isn't. One place where that's not quite true is that if users have config files that are owned by root with no
o+rperms heartbeat can't read these after downgrading its credentials.To remedy this I propose we only invoke setuid in the elastic-agent containers where we control config files completely.
The text was updated successfully, but these errors were encountered: