Fix permissions on default state sub-directories when Agent runs as container (#2330)

* Set temp dir permissions to 0770

* Set logs dir permissions to 0775

* Adding CHANGELOG entry

* Fix kind of change in changelog entry

Author: ycombinator

changelog/fragments/1677599609-fix-container-state-dirs-perms.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: Fixes the permissions of the `state/data/tmp` and `state/data/logs` folders when they're setup as part of running `elastic-agent container`.
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; a word indicating the component this changeset affects.
+component: agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/2330
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/2315

internal/pkg/agent/application/paths/common.go

@@ -22,6 +22,7 @@ const (
 	// AgentLockFileName is the name of the overall Elastic Agent file lock.
 	AgentLockFileName = "agent.lock"
 	tempSubdir        = "tmp"
+	tempSubdirPerms   = 0770
 
 	darwin = "darwin"
 )
@@ -85,7 +86,7 @@ func TempDir() string {
 	tmpDir := filepath.Join(Data(), tempSubdir)
 	tmpCreator.Do(func() {
 		// create tempdir as it probably don't exists
-		_ = os.MkdirAll(tmpDir, 0750)
+		_ = os.MkdirAll(tmpDir, tempSubdirPerms)
 	})
 	return tmpDir
 }

internal/pkg/agent/cmd/container.go

@@ -43,6 +43,8 @@ const (
 	defaultRequestRetrySleep = "1s"                             // sleep 1 sec between retries for HTTP requests
 	defaultMaxRequestRetries = "30"                             // maximum number of retries for HTTP requests
 	defaultStateDirectory    = "/usr/share/elastic-agent/state" // directory that will hold the state data
+
+	logsPathPerms = 0775
 )
 
 var (
@@ -150,7 +152,7 @@ func logContainerCmd(streams *cli.IOStreams) error {
 	logsPath := envWithDefault("", "LOGS_PATH")
 	if logsPath != "" {
 		// log this entire command to a file as well as to the passed streams
-		if err := os.MkdirAll(logsPath, 0755); err != nil {
+		if err := os.MkdirAll(logsPath, logsPathPerms); err != nil {
 			return fmt.Errorf("preparing LOGS_PATH(%s) failed: %w", logsPath, err)
 		}
 		logPath := filepath.Join(logsPath, "elastic-agent-startup.log")
@@ -795,14 +797,14 @@ func setPaths(statePath, configPath, logsPath string, writePaths bool) error {
 	if logsPath != "" {
 		paths.SetLogs(logsPath)
 		// ensure that the logs directory exists
-		if err := os.MkdirAll(filepath.Join(logsPath), 0755); err != nil {
+		if err := os.MkdirAll(filepath.Join(logsPath), logsPathPerms); err != nil {
 			return fmt.Errorf("preparing LOGS_PATH(%s) failed: %w", logsPath, err)
 		}
 	}
 
 	// ensure that the internal logger directory exists
 	loggerPath := filepath.Join(paths.Home(), logger.DefaultLogDirectory)
-	if err := os.MkdirAll(loggerPath, 0755); err != nil {
+	if err := os.MkdirAll(loggerPath, logsPathPerms); err != nil {
 		return fmt.Errorf("preparing internal log path(%s) failed: %w", loggerPath, err)
 	}