[Resume] Improve ownership and permissions of files in OpenSearch/Das…

…hboards deb and rpm packages (#4043) Signed-off-by: Romain Tartière <[email protected]> Signed-off-by: Peter Zhu <[email protected]> Co-authored-by: Romain Tartière <[email protected]>
opensearch-project · Mar 15, 2024 · 88dfb7f · 88dfb7f
1 parent ed5821e
commit 88dfb7f
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 25 deletions.
diff --git a/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst b/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst
@@ -40,11 +40,16 @@ echo " In a future release of OpenSearch Dashboards, we plan to change the permi
 echo " If you are configuring tools that require read access to the OpenSearch Dashboards configuration files, we recommend you add the user that runs these tools to the 'opensearch-dashboards' group"
 echo " For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043"
 
-# Set owner
-chown -R opensearch-dashboards.opensearch-dashboards ${product_dir}
-chown -R opensearch-dashboards.opensearch-dashboards ${config_dir}
-chown -R opensearch-dashboards.opensearch-dashboards ${log_dir}
+# Set ownership and permissions
+chown -R root.opensearch-dashboards ${config_dir}
+chmod -R u=rwX,g=rX,o= ${config_dir}
+
+chown -R opensearch-dashboards.adm ${log_dir}
+chmod 750 ${log_dir}
+
 chown -R opensearch-dashboards.opensearch-dashboards ${data_dir}
+chmod 750 ${data_dir}
+
 chown -R opensearch-dashboards.opensearch-dashboards ${pid_dir}
 
 exit 0

diff --git a/...ts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh b/...ts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh
@@ -42,6 +42,7 @@ ln -s ${data_dir} ${buildroot}${product_dir}/data
 ln -s ${log_dir}  ${buildroot}${product_dir}/logs
 
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/*
+chmod -Rf g-s ${buildroot}/*
+chmod -Rf u=rwX,g=rX,o=rX ${buildroot}/*
 
 exit 0
diff --git a/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec b/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec
@@ -63,7 +63,8 @@ chmod 0755 %{buildroot}%{product_dir}/bin/*
 ln -s %{data_dir} %{buildroot}%{product_dir}/data
 ln -s %{log_dir}  %{buildroot}%{product_dir}/logs
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/*
+chmod -Rf g-s %{buildroot}/*
+chmod -Rf u=rwX,g=rX,o= %{buildroot}/etc
 exit 0
 
 %pre
@@ -82,6 +83,7 @@ exit 0
 
 %post
 set -e
+chown -R root.%{name} %{config_dir}
 # Reload systemctl daemon
 if command -v systemctl > /dev/null; then
     systemctl daemon-reload
@@ -112,7 +114,7 @@ exit 0
 
 %files
 # Permissions
-%defattr(-, %{name}, %{name})
+%defattr(-, root, root)
 
 # Root dirs/docs/licenses
 %dir %{product_dir}
@@ -141,9 +143,9 @@ exit 0
 %{product_dir}/node_modules
 %{product_dir}/plugins
 %{product_dir}/src
-%{log_dir}
-%{pid_dir}
-%dir %{data_dir}
+%attr(750, %{name}, %{name}) %{log_dir}
+%attr(750, %{name}, %{name}) %{pid_dir}
+%dir %attr(750, %{name}, %{name}) %{data_dir}
 
 # Symlinks
 %{product_dir}/data

diff --git a/scripts/pkg/build_templates/opensearch/deb/debian/postinst b/scripts/pkg/build_templates/opensearch/deb/debian/postinst
@@ -36,11 +36,17 @@ if ! grep -q '## OpenSearch Performance Analyzer' ${config_dir}/jvm.options; the
    echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> ${config_dir}/jvm.options
 fi
 
-# Set owner
-chown -R opensearch.opensearch ${product_dir}
+# Set ownership and permissions
+# FIXME: the opensearch service should not have w permission in the config directory
 chown -R opensearch.opensearch ${config_dir}
-chown -R opensearch.opensearch ${log_dir}
+chmod -R u=rwX,g=rX,o= ${config_dir}
+
+chown -R opensearch.adm ${log_dir}
+chmod 750 ${log_dir}
+
 chown -R opensearch.opensearch ${data_dir}
+chmod 750 ${data_dir}
+
 chown -R opensearch.opensearch ${pid_dir}
 
 # Reload systemctl daemon

diff --git a/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh b/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh
@@ -41,6 +41,7 @@ ln -s ${data_dir} ${buildroot}${product_dir}/data
 ln -s ${log_dir}  ${buildroot}${product_dir}/logs
 
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/*
+chmod -Rf g-s ${buildroot}/*
+chmod -Rf u=rwX,g=rX,o=rX ${buildroot}/*
 
 exit 0
diff --git a/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec b/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec
@@ -75,7 +75,8 @@ if [ ! -f %{buildroot}%{data_dir}/performance_analyzer_enabled.conf ]; then
     echo 'true' > %{buildroot}%{data_dir}/performance_analyzer_enabled.conf
 fi
 # Change Permissions
-chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/*
+chmod -Rf g-s %{buildroot}/*
+chmod -Rf u=rwX,g=rX,o= %{buildroot}/etc
 exit 0
 
 %pre
@@ -186,13 +187,6 @@ exit 0
 # Permissions
 %defattr(-, %{name}, %{name})
 
-# Root dirs/docs/licenses
-%dir %{product_dir}
-%doc %{product_dir}/NOTICE.txt
-%doc %{product_dir}/README.md
-%license %{product_dir}/LICENSE.txt
-%{product_dir}/manifest.yml
-
 # Config dirs/files
 %dir %{config_dir}
 %{config_dir}/jvm.options.d
@@ -211,16 +205,27 @@ exit 0
 %attr(0644, root, root) %config(noreplace) %{_prefix}/lib/sysctl.d/%{name}.conf
 %attr(0644, root, root) %config(noreplace) %{_prefix}/lib/tmpfiles.d/%{name}.conf
 
+%dir %attr(750, %{name}, %{name}) %{data_dir}
+%attr(750, %{name}, %{name}) %{log_dir}
+%attr(750, %{name}, %{name}) %{pid_dir}
+
+# Permissions
+%defattr(-, root, root)
+
+# Root dirs/docs/licenses
+%dir %{product_dir}
+%doc %{product_dir}/NOTICE.txt
+%doc %{product_dir}/README.md
+%license %{product_dir}/LICENSE.txt
+%{product_dir}/manifest.yml
+
 # Main dirs
 %{product_dir}/bin
 %{product_dir}/jdk
 %{product_dir}/lib
 %{product_dir}/modules
 %{product_dir}/performance-analyzer-rca
 %{product_dir}/plugins
-%{log_dir}
-%{pid_dir}
-%dir %{data_dir}
 
 # Symlinks
 %{product_dir}/data