Debian package creates configuration file writable by the elasticsearch process


(Joost Cassee) #1

I just installed Elasticsearch 6.4.3 on a fresh Ubuntu 18.04 system from the Apt repository. I noticed that the configuration files in /etc/elasticsearch are writable by group elasticsearch, which the elasticsearch process runs as.

Is this correct? Configuration is usually only changed by the administrator, not by the application itself. Some applications provide a way to change their own configuration, but I don't this Elasticsearch does.

Any problem restricting access by removing the group writable bits?

Best,
Joost


(David Turner) #2

I think you're right, but please try it out in a safe environment before changing your production environment :slight_smile: The intention is that the elasticsearch group contains Elasticsearch administrators too. I expect the Java security manager prevents us writing to these files, but I can see a case for using filesystem permissions to clarify that. Would you open an issue at https://github.com/elastic/elasticsearch/issues to raise this for wider discussion and possible remedy?


(Joost Cassee) #3

Thanks, I have opened an issue on Github: https://github.com/elastic/elasticsearch/issues/35634