Debian package creates configuration file writable by the elasticsearch process

Joost_Cassee · November 14, 2018, 10:00pm

I just installed Elasticsearch 6.4.3 on a fresh Ubuntu 18.04 system from the Apt repository. I noticed that the configuration files in /etc/elasticsearch are writable by group elasticsearch, which the elasticsearch process runs as.

Is this correct? Configuration is usually only changed by the administrator, not by the application itself. Some applications provide a way to change their own configuration, but I don't this Elasticsearch does.

Any problem restricting access by removing the group writable bits?

Best,
Joost

DavidTurner · November 15, 2018, 8:39am

I think you're right, but please try it out in a safe environment before changing your production environment The intention is that the elasticsearch group contains Elasticsearch administrators too. I expect the Java security manager prevents us writing to these files, but I can see a case for using filesystem permissions to clarify that. Would you open an issue at https://github.com/elastic/elasticsearch/issues to raise this for wider discussion and possible remedy?

Joost_Cassee · November 16, 2018, 12:59pm

Thanks, I have opened an issue on Github: https://github.com/elastic/elasticsearch/issues/35634

system · December 14, 2018, 12:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.