Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[os packages] local permission adjustments #66614

Merged
merged 5 commits into from
Jul 13, 2020
Merged

[os packages] local permission adjustments #66614

merged 5 commits into from
Jul 13, 2020

Conversation

jbudz
Copy link
Member

@jbudz jbudz commented May 14, 2020
edited
Loading

This adds a few specific permission changes to limit source files to the minimum. This also adds a flag to rpmbuild to pass through our repositories current permission set.

I'm running local builds here for testing now, so leaving this as draft for the moment. CI for tests.

edit: uhh, or I can forget to set is a draft. It's a draft.

@jbudz jbudz added Team:Operations Team label for Operations Team v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.8.0 labels May 14, 2020
@jbudz jbudz requested a review from a team as a code owner May 14, 2020 18:50
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-operations (Team:Operations)

@spalger spalger marked this pull request as draft May 14, 2020 18:50
@tylersmalley
Copy link
Contributor

@elasticmachine merge upstream

@tylersmalley
Copy link
Contributor

@jbudz is this ready for review?

@tylersmalley
Copy link
Contributor

@elasticmachine merge upstream

@jbudz jbudz force-pushed the fix/package-permissions branch from a6ab6cc to 27cb13c Compare May 26, 2020 16:51
@jbudz jbudz marked this pull request as ready for review May 26, 2020 16:53
@jbudz
Copy link
Member Author

jbudz commented May 26, 2020

I'll add builds here shortly.

@jbudz
Copy link
Member Author

jbudz commented Jun 1, 2020

@elasticmachine merge upstream

1 similar comment
@jbudz
Copy link
Member Author

jbudz commented Jun 8, 2020

@elasticmachine merge upstream

@tylersmalley
Copy link
Contributor

A couple things:

/usr/share/kibana

drwxr-xr-x   10 tyler tyler     4096 Jun 11 07:08 ./
drwxr-xr-x  137 root  root      4096 Jun 11 07:07 ../
-rw-r--r--    1 tyler tyler     2735 Jun 10 16:23 .i18nrc.json
-rw-r--r--    1 tyler tyler    13675 Jun 10 16:23 LICENSE.txt
-rw-r--r--    1 tyler tyler  1810365 Jun 10 16:23 NOTICE.txt
-rw-r--r--    1 tyler tyler     4057 Jun 10 16:23 README.txt
drwxr-xr-x    2 tyler tyler     4096 Jun 11 07:08 bin/
drwxr-xr-x    5 tyler tyler     4096 Jun 11 07:07 built_assets/
drwxr-xr-x    6 tyler tyler     4096 Jun 11 07:08 node/
drwxr-xr-x 1634 tyler tyler    73728 Jun 11 07:08 node_modules/
-rw-r--r--    1 tyler tyler      751 Jun 10 16:23 package.json
drwxr-xr-x    2 root  kibana    4096 Jun 10 16:23 plugins/
drwxr-xr-x   11 tyler tyler     4096 Jun 11 07:08 src/
drwxr-xr-x    2 tyler tyler     4096 Jun 11 07:08 webpackShims/
drwxr-xr-x    5 tyler tyler     4096 Jun 11 07:08 x-pack/
  • files should be owned by root:kibana

/etc/kibana should have kibana group and should not be world readable or executable.

/var/lib/kibana

drwxr-xr-x  3 root kibana 4096 Jun 11 07:07 ./
drwxr-xr-x 40 root root   4096 Jun 11 07:07 ../
drwxr-xr-x  2 root kibana 4096 Jun 11 07:08 optimize/
  • should not have any world permissions

@tylersmalley
Copy link
Contributor

tylersmalley commented Jun 11, 2020
edited
Loading

A separate issue I believe is related to the change of the config directory:

/usr/share/kibana  bin/kibana --optimize                                                                                                                    ✔
FATAL CLI ERROR Error: ENOENT: no such file or directory, open '/usr/share/kibana/config/kibana.yml'
    at Object.openSync (fs.js:443:3)
    at readFileSync (fs.js:343:35)
    at readYaml (/usr/share/kibana/src/core/server/config/read_config.js:34:69)
    at getConfigFromFiles (/usr/share/kibana/src/core/server/config/read_config.js:66:18)
    at RawConfigService.loadConfig (/usr/share/kibana/src/core/server/config/raw_config_service.js:51:70)
    at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:61:20)
    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:195:33)
    at Command.<anonymous> (/usr/share/kibana/src/cli/command.js:111:20)
    at Command.listener (/usr/share/kibana/node_modules/commander/index.js:291:8)
    at Command.emit (events.js:198:13)
    at Command.parseArgs (/usr/share/kibana/node_modules/commander/index.js:672:12)
    at Command.parse (/usr/share/kibana/node_modules/commander/index.js:459:21)
    at Object.<anonymous> (/usr/share/kibana/src/cli/cli.js:60:9)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Module._compile (/usr/share/kibana/node_modules/pirates/lib/index.js:99:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:789:10)

If I resolve that with sudo mkdir -p /usr/share/kibana/data/optimize/ && sudo chown kibana:kibana /usr/share/kibana/data/optimize/, I get another error.

FATAL CLI ERROR Error: ENOENT: no such file or directory, open '/usr/share/kibana/config/kibana.yml'
    at Object.openSync (fs.js:443:3)
    at readFileSync (fs.js:343:35)
    at readYaml (/usr/share/kibana/src/core/server/config/read_config.js:34:69)
    at getConfigFromFiles (/usr/share/kibana/src/core/server/config/read_config.js:66:18)
    at RawConfigService.loadConfig (/usr/share/kibana/src/core/server/config/raw_config_service.js:51:70)
    at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:61:20)
    at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:195:33)
    at Command.<anonymous> (/usr/share/kibana/src/cli/command.js:111:20)
    at Command.listener (/usr/share/kibana/node_modules/commander/index.js:291:8)
    at Command.emit (events.js:198:13)
    at Command.parseArgs (/usr/share/kibana/node_modules/commander/index.js:672:12)
    at Command.parse (/usr/share/kibana/node_modules/commander/index.js:459:21)
    at Object.<anonymous> (/usr/share/kibana/src/cli/cli.js:60:9)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Module._compile (/usr/share/kibana/node_modules/pirates/lib/index.js:99:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:789:10)

tylersmalley
tylersmalley suggested changes Jun 11, 2020
View reviewed changes
Copy link
Contributor

@tylersmalley tylersmalley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple more permission changes detailed in a comment.

@tylersmalley
Copy link
Contributor

Mind also building the RPM and DEB packages while we iterate on this PR?

@spalger spalger added v7.8.1 and removed v7.8.0 labels Jun 18, 2020
@jbudz
Copy link
Member Author

jbudz commented Jul 1, 2020

Roger on the distributions, this ones taken a few builds so lets say WIP for the moment

@tylersmalley
Copy link
Contributor

Ok, just ping me when it's ready for review.

@jbudz jbudz force-pushed the fix/package-permissions branch from 30d7e8a to 91c78be Compare July 8, 2020 20:55
@jbudz
Copy link
Member Author

jbudz commented Jul 8, 2020

Good to go. note to self, eec4079 keystore setup after we've moved it to to config

@LeeDr LeeDr added v7.9.0 and removed v7.8.1 labels Jul 9, 2020
@LeeDr
Copy link

LeeDr commented Jul 9, 2020

I'm not sure if this is a bug fix or an enhancement? It missed v7.8.1 so I removed that label and added v7.9.0

@tylersmalley
Copy link
Contributor

tylersmalley commented Jul 10, 2020
edited
Loading

Looking much better!

Only thing which is odd so far is that I am missing logs in /var/log/kibana.

I see the logs in jourcalctl:

$ journalctl -u kibana.service
Jul 06 20:13:29 tyler-ubuntu systemd[1]: Started Kibana.
Jul 06 20:13:30 tyler-ubuntu kibana[4512]: {"type":"log","@timestamp":"2020-07-06T20:13:30+00:00","tags":["warning","plugins-discovery"],"pid":4512,"message":"Expect plugin \"id\"
 in camelCase, but found: beats_management"}
...

@jbudz
Copy link
Member Author

jbudz commented Jul 13, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Jul 13, 2020

#6579 👍 - we'll have to add logging.dest to kibana.yml or the CLI

@jbudz jbudz merged commit 2c19feb into elastic:master Jul 13, 2020
jbudz added a commit that referenced this pull request Jul 13, 2020
@jbudz @elasticmachine
[os packages] local permission adjustments (#66614)
ac93ac6 
* outline permissions

* rm keystore setup

Co-authored-by: Elastic Machine <[email protected]>
@jbudz
Copy link
Member Author

jbudz commented Jul 13, 2020

7.x/7.9: ac93ac6

@jbudz jbudz added the backport:skip This commit does not require backporting label Jul 13, 2020
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

This was referenced Jul 21, 2020
Closed
Closed
@Diazole Diazole mentioned this pull request Sep 14, 2020
Closed
@jbudz jbudz mentioned this pull request Nov 19, 2020
Merged
@jbudz jbudz mentioned this pull request Feb 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tylersmalley tylersmalley tylersmalley approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Operations Team label for Operations Team v7.9.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jbudz @elasticmachine @tylersmalley @LeeDr @kibanamachine @spalger