From 5d1c59247f7b49606b49b43aac694780901bb338 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Alvarez=20Pi=C3=B1eiro?= <95703246+emilioalvap@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:41:02 +0100 Subject: [PATCH] [Heartbeat] Remove containerized check from setuid logic (#37794) Removed isContainerized from setuid check, as it fails to detect containers running under cgroups v2 and prevents switching users when running as root. --- CHANGELOG.next.asciidoc | 1 + heartbeat/security/security.go | 10 +--------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5ba27260c3b7..405c5b6cb472 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -81,6 +81,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Heartbeat* - Fix panics when parsing dereferencing invalid parsed url. {pull}34702[34702] +- Fix setuid root when running under cgroups v2. {pull}37794[37794] *Metricbeat* diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go index 20c0f5cc7d68..8e15102f7b8d 100644 --- a/heartbeat/security/security.go +++ b/heartbeat/security/security.go @@ -26,8 +26,6 @@ import ( "strconv" "syscall" - sysinfo "github.com/elastic/go-sysinfo" - "kernel.org/pub/linux/libs/security/libcap/cap" ) @@ -36,13 +34,7 @@ func init() { // In the context of a container, where users frequently run as root, we follow BEAT_SETUID_AS to setuid/gid // and add capabilities to make this actually run as a regular user. This also helps Node.js in synthetics, which // does not want to run as root. It's also just generally more secure. - sysInfo, err := sysinfo.Host() - isContainer := false - if err == nil && sysInfo.Info().Containerized != nil { - isContainer = *sysInfo.Info().Containerized - } - - if localUserName := os.Getenv("BEAT_SETUID_AS"); isContainer && localUserName != "" && syscall.Geteuid() == 0 { + if localUserName := os.Getenv("BEAT_SETUID_AS"); localUserName != "" && syscall.Geteuid() == 0 { err := setNodeProcAttr(localUserName) if err != nil { panic(err)