Skip to content

Ensure CAP_CHOWN capability is included if root user is required #2331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 13, 2025
Merged

Ensure CAP_CHOWN capability is included if root user is required #2331

merged 2 commits into from
Jan 13, 2025

Conversation

mrodm
Copy link
Contributor

@mrodm mrodm commented Jan 10, 2025
edited
Loading

Ensure that CAP_CHOWN capability is present in the docker-compose scenario for the Elastic Agent container when the package requires or sets root privileges.

Fixes #2330

Additional:

  • Take into account if a data stream manifest defines that it requires root privileges.

Author's checklist

@mrodm mrodm self-assigned this Jan 10, 2025
@mrodm
Copy link
Contributor Author

mrodm commented Jan 10, 2025

test integrations

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot mentioned this pull request Jan 10, 2025
Closed
@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12295

@mrodm
Copy link
Contributor Author

mrodm commented Jan 10, 2025

Package nginx that does not require root:

    healthcheck:
      test: "elastic-agent status"
      retries: 180
      interval: 1s

    cap_drop:
      - ALL

Package auditd_manager that require root:

    healthcheck:
      test: "elastic-agent status"
      retries: 180
      interval: 1s
    
    pid: host

    user: root

    cap_add: [AUDIT_CONTROL,AUDIT_READ,CAP_CHOWN]
    
    cap_drop:
      - ALL

Package fim that requires root:

    healthcheck:
      test: "elastic-agent status"
      retries: 180
      interval: 1s
  
    user: root
   
    cap_add: [CAP_CHOWN]
    
    cap_drop:
      - ALL

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mrodm

@mrodm
Copy link
Contributor Author

mrodm commented Jan 10, 2025

test integrations

@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12295

mrodm
mrodm commented Jan 10, 2025
View reviewed changes
internal/testrunner/runners/system/tester.go
// and it should not be overwritten by the value in the manifest
if info.Agent.User == "" && agentManifest.Privileges.Root {
// and it should not be overwritten by the value in the package or DataStream manifest
if info.Agent.User == "" && (r.pkgManifest.Agent.Privileges.Root || r.dataStreamManifest.Agent.Privileges.Root) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, it was just considered the privileges settings from package manifest. It was no taken into account the one from the data stream manifest.

@mrodm mrodm marked this pull request as ready for review January 10, 2025 16:22
@mrodm mrodm requested a review from a team January 10, 2025 16:22
@mrodm mrodm changed the title Ensure CAP_CHOWN is included if root user is required Ensure CAP_CHOWN capability is included if root user is required Jan 10, 2025
@mrodm mrodm merged commit aa5ebfe into elastic:main Jan 13, 2025
3 checks passed
@mrodm mrodm deleted the add-cap-chown-for-root branch January 13, 2025 09:41
@mrodm mrodm mentioned this pull request Jan 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsoriano jsoriano jsoriano approved these changes

Assignees

@mrodm mrodm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add CAP_CHOWN capability if package requires root privileges
3 participants
@mrodm @elasticmachine @jsoriano