Revert "Set default umask of 0027 for all Beats-created files (elasti…

…c#14119)" This reverts commit 2bb87cf.
rdner · Jan 14, 2022 · f78884d · f78884d
1 parent acf695a
commit f78884d
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 51 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -31,6 +31,16 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add job.name in pods controlled by Jobs {pull}28954[28954]
 - Change Docker base image from CentOS 7 to Ubuntu 20.04 {pull}29681[29681]
 - Enrich kubernetes metadata with node annotations. {pull}29605[29605]
+- Update to Golang 1.12.1. {pull}11330[11330]
+- Update to Golang 1.12.4. {pull}11782[11782]
+- Update to ECS 1.0.1. {pull}12284[12284] {pull}12317[12317]
+- Default of output.kafka.metadata.full is set to false by now. This reduced the amount of metadata to be queried from a kafka cluster. {pull}12738[12738]
+- Fixed a crash under Windows when fetching processes information. {pull}12833[12833]
+- Update to Golang 1.12.7. {pull}12931[12931]
+- Remove `in_cluster` configuration parameter for Kuberentes, now in-cluster configuration is used only if no other kubeconfig is specified {pull}13051[13051]
+- Disable Alibaba Cloud and Tencent Cloud metadata providers by default. {pull}13812[12812]
+- Libbeat HTTP's Server can listen to a unix socket using the `unix:///tmp/hello.sock` syntax. {pull}13655[13655]
+- Libbeat HTTP's Server can listen to a Windows named pipe using the `npipe:///hello` syntax. {pull}13655[13655]
 
 *Auditbeat*
 

diff --git a/filebeat/docs/filebeat-general-options.asciidoc b/filebeat/docs/filebeat-general-options.asciidoc
@@ -40,15 +40,13 @@ That means in case there are some states where the TTL expired, these are only r
 
 The permissions mask to apply on registry data file. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.
 
-The most permissive mask allowed is 0640. If a higher permissions mask is
-specified via this setting, it will be subject to a umask of 0027.
-
 This option is not supported on Windows.
 
 Examples:
 
-    0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+    0644: give read and write access to the file owner, and read access to all others.
     0600: give read and write access to the file owner, and no access to all others.
+    0664: give read and write access to the file owner and members of the group associated with the file, as well as read access to all other users.
 
 [source,yaml]
 -------------------------------------------------------------------------------------

diff --git a/filebeat/tests/system/test_registrar.py b/filebeat/tests/system/test_registrar.py
@@ -199,7 +199,7 @@ def test_registry_file_custom_permissions(self):
         self.render_config_template(
             path=os.path.abspath(self.working_dir) + "/log/*",
             registry_home=registry_home,
-            registry_file_permissions=0o640,
+            registry_file_permissions=0644,
         )
         os.mkdir(self.working_dir + "/log/")
         testfile_path = self.working_dir + "/log/test.log"
@@ -216,7 +216,7 @@ def test_registry_file_custom_permissions(self):
             max_timeout=1)
         filebeat.check_kill_and_wait()
 
-        self.assertEqual(self.file_permissions(os.path.join(registry_path, "log.json")), "0o640")
+        self.assertEqual(self.file_permissions(registry_file), "0644")
 
     def test_registry_file_update_permissions(self):
         """
@@ -255,7 +255,7 @@ def test_registry_file_update_permissions(self):
         self.render_config_template(
             path=os.path.abspath(self.working_dir) + "/log/*",
             registry_home="a/b/c/registry_x",
-            registry_file_permissions=0o640
+            registry_file_permissions=0644
         )
 
         filebeat = self.start_beat()
@@ -273,7 +273,7 @@ def test_registry_file_update_permissions(self):
 
         filebeat.check_kill_and_wait()
 
-        self.assertEqual(self.file_permissions(os.path.join(registry_path, "log.json")), "0o640")
+        self.assertEqual(self.file_permissions(registry_file), "0644")
 
     @unittest.skipIf(platform.system() == 'Darwin' or os.name == 'nt',
                      'Flaky test: https://github.com/elastic/beats/issues/26378')

diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go
@@ -157,10 +157,6 @@ func initRand() {
 // instance.
 // XXX Move this as a *Beat method?
 func Run(settings Settings, bt beat.Creator) error {
-	err := setUmaskWithSettings(settings)
-	if err != nil && err != errNotImplemented {
-		return errw.Wrap(err, "could not set umask")
-	}
 
 	return handleError(func() error {
 		defer func() {
@@ -1174,10 +1170,3 @@ func initPaths(cfg *common.Config) error {
 	}
 	return nil
 }
-
-func setUmaskWithSettings(settings Settings) error {
-	if settings.Umask != nil {
-		return setUmask(*settings.Umask)
-	}
-	return setUmask(0027) // 0640 for files | 0750 for dirs
-}
diff --git a/libbeat/cmd/instance/settings.go b/libbeat/cmd/instance/settings.go
@@ -46,8 +46,6 @@ type Settings struct {
 
 	Processing processing.SupportFactory
 
-	Umask *int
-
 	// InputQueueSize is the size for the internal publisher queue in the
 	// publisher pipeline. This is only useful when the Beat plans to use
 	// beat.DropIfFull PublishMode. Leave as zero for default.

diff --git a/libbeat/cmd/instance/umask_windows.go b/libbeat/cmd/instance/umask_windows.go
diff --git a/libbeat/tests/system/config/mockbeat.yml.j2 b/libbeat/tests/system/config/mockbeat.yml.j2
@@ -64,9 +64,6 @@ output:
     path: {{ output_file_path|default(beat.working_dir + "/output") }}
     filename: "{{ output_file_filename|default("mockbeat") }}"
     rotate_every_kb: 1000
-    {% if output_file_permissions %}
-    permissions: {{ output_file_permissions }}
-    {% endif %}
     #number_of_files: 7
   {%- endif %}