Auditbeat output.file ignores permissions

vaclav · May 14, 2020, 12:15pm

Hello,
I found in latest auditbeat version 7.7.0 that auditbeat output file is created with permission 640 even if I set output file permission to 644.

I have this configuration in auditbeat.yml

output.file:
  path: "/var/auditbeat/logs"
  filename: auditbeat
  rotate_every_kb: 20000
  number_of_files: 2
  permissions: 0644

but output file have permission 640

ubuntu:/var/auditbeat/logs# ls -alF
total 184
drwxr-xr-x 2 root root   4096 May 14 05:12 ./
drwxr-xr-x 3 root root   4096 May 14 05:11 ../
-rw-r----- 1 root root 177590 May 14 05:12 auditbeat

Could it be bug ? It works in version 7.4.0

Thank you

andrewkroh · May 14, 2020, 1:10pm

Those permissions are pre-umask. This is why it becomes 0640. The logger creates the file with 0644, but then the OS applies the processes umask to that mode value. The process has an 027 umask most likely.

I see there was a change in https://github.com/elastic/beats/pull/14119 to make the Beat set its own umask. So since the file output doesn't do an explicit chmod on the file you'll never get the configured permissions. This seems like a bug to me since users lose control of the permissions since they cannot control the process umask anymore.

vaclav · May 15, 2020, 7:38am

than you Andrew, I will create bug

system · June 5, 2020, 7:38am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.