Fix files ownership and permissions for Dashboards

Similar to the issue fixed in #3898, OpenSearch-Dashboards package has unexpected files owner and permissions. This ensure the installed files are not owner by the opensearch-dashboards user (preventing the program to overwrite itself with malicious code if the service has some kind of vulnerability), and make sure logs and data cannot be accessed by random users. Signed-off-by: Romain Tartière <[email protected]>
opensearch-project · Sep 11, 2023 · 407415f · 407415f
1 parent 4743a92
commit 407415f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst b/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst
@@ -36,11 +36,15 @@ echo " sudo systemctl enable opensearch-dashboards.service"
 echo "### You can start opensearch-dashboards service by executing"
 echo " sudo systemctl start opensearch-dashboards.service"
 
-# Set owner
-chown -R opensearch-dashboards.opensearch-dashboards ${product_dir}
-chown -R opensearch-dashboards.opensearch-dashboards ${config_dir}
-chown -R opensearch-dashboards.opensearch-dashboards ${log_dir}
+# Set ownership and permissions
+chmod -R u=rwX,g=rX,o= ${config_dir}
+
+chown -R opensearch-dashboards.adm ${log_dir}
+chmod 750 ${log_dir}
+
 chown -R opensearch-dashboards.opensearch-dashboards ${data_dir}
+chmod 750 ${data_dir}
+
 chown -R opensearch-dashboards.opensearch-dashboards ${pid_dir}
 
 exit 0

diff --git a/...ts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh b/...ts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh
@@ -42,6 +42,7 @@ ln -s ${data_dir} ${buildroot}${product_dir}/data
 ln -s ${log_dir}  ${buildroot}${product_dir}/logs
 
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/*
+chmod -Rf g-s ${buildroot}/*
+chmod -Rf u=rwX,g=rX,o=rX ${buildroot}/*
 
 exit 0
diff --git a/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec b/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec
@@ -56,7 +56,8 @@ chmod 0755 %{buildroot}%{product_dir}/bin/*
 ln -s %{data_dir} %{buildroot}%{product_dir}/data
 ln -s %{log_dir}  %{buildroot}%{product_dir}/logs
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/*
+chmod -Rf g-s %{buildroot}/*
+chmod -Rf u=rwX,g=rX,o= %{buildroot}/etc
 exit 0
 
 %pre
@@ -101,7 +102,7 @@ exit 0
 
 %files
 # Permissions
-%defattr(-, %{name}, %{name})
+%defattr(-, root, root)
 
 # Root dirs/docs/licenses
 %dir %{product_dir}
@@ -130,9 +131,9 @@ exit 0
 %{product_dir}/node_modules
 %{product_dir}/plugins
 %{product_dir}/src
-%{log_dir}
-%{pid_dir}
-%dir %{data_dir}
+%attr(750, %{name}, %{name}) %{log_dir}
+%attr(750, %{name}, %{name}) %{pid_dir}
+%dir %attr(750, %{name}, %{name}) %{data_dir}
 
 # Symlinks
 %{product_dir}/data