Set permissions on the Grafana Agent [Flow] folder...

CHANGELOG.md

@@ -19,6 +19,9 @@ Main (unreleased)
 
 ### Bugfixes
 
+- Set permissions on the `Grafana Agent [Flow]` folder when installing via the
+  windows installer rather than relying on the parent folder permissions. (@erikbaranowski)
+
 - Fix an issues where the logging config block would trigger an error when trying to send logs to components that were not running. (@wildum)
 
 - Fix an issue where a custom component might be wired to a local declare instead of an import declare when they have the same label. (@wildum)

cmd/grafana-agent-operator/Dockerfile

@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.32.0 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

cmd/grafana-agent/Dockerfile

@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.32.0 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

cmd/grafana-agent/Dockerfile.windows

@@ -1,4 +1,4 @@
-FROM grafana/agent-build-image:0.32.0-windows as builder
+FROM grafana/agent-build-image:0.33.0-windows as builder
 ARG VERSION
 ARG RELEASE_BUILD=1
 

cmd/grafana-agentctl/Dockerfile

@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.32.0 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

cmd/grafana-agentctl/Dockerfile.windows

@@ -1,4 +1,4 @@
-FROM grafana/agent-build-image:0.32.0-windows as builder
+FROM grafana/agent-build-image:0.33.0-windows as builder
 ARG VERSION
 ARG RELEASE_BUILD=1
 

packaging/grafana-agent-flow/windows/install_script.nsis

@@ -101,6 +101,8 @@ Section "install"
   # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
   nsExec::ExecToLog `sc failure "Grafana Agent Flow" reset= 60 actions= restart/5000 reboot= "Grafana Agent Flow has failed. Restarting in 5 seconds"`
   Pop $0
+
+  Call SetFolderPermissions
 SectionEnd
 
 Function CreateConfig
@@ -164,6 +166,19 @@ Function InitializeRegistry
   Return
 FunctionEnd
 
+Function SetFolderPermissions
+    # Set permissions on the install directory
+    SetOutPath $INSTDIR
+    AccessControl::DisableFileInheritance $INSTDIR
+    AccessControl::SetFileOwner $INSTDIR "Administrators"
+    AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"
+    AccessControl::SetOnFile    $INSTDIR "SYSTEM" "FullAccess"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ListDirectory"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericExecute"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericRead"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ReadAttributes"
+FunctionEnd
+
 # Automatically called when uninstalling.
 Function un.onInit
   SetShellVarContext all

packaging/grafana-agent/windows/install_script.nsis

@@ -155,6 +155,8 @@ Function Install
     # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
     nsExec::ExecToLog `sc failure "Grafana Agent" reset= 60 actions= restart/5000 reboot= "Grafana Agent has failed. Restarting in 5 seconds"`
     Pop $0
+
+    Call SetFolderPermissions
 FunctionEnd
 
 Function WriteConfig
@@ -189,6 +191,19 @@ Function WriteConfig
         Return
 FunctionEnd
 
+Function SetFolderPermissions
+    # Set permissions on the install directory
+    SetOutPath $INSTDIR
+    AccessControl::DisableFileInheritance $INSTDIR
+    AccessControl::SetFileOwner $INSTDIR "Administrators"
+    AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"
+    AccessControl::SetOnFile    $INSTDIR "SYSTEM" "FullAccess"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ListDirectory"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericExecute"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericRead"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ReadAttributes"
+FunctionEnd
+
 # Uninstaller
 Function un.onInit
     SetShellVarContext all

tools/make/build-container.mk

@@ -34,7 +34,7 @@
 # variable names should be passed through to the container.
 
 USE_CONTAINER       ?= 0
-BUILD_IMAGE_VERSION ?= 0.32.0
+BUILD_IMAGE_VERSION ?= 0.33.0
 BUILD_IMAGE         ?= grafana/agent-build-image:$(BUILD_IMAGE_VERSION)
 DOCKER_OPTS         ?= -it
 

tools/make/packaging.mk

@@ -400,7 +400,7 @@ ifeq ($(USE_CONTAINER),1)
 else
 	cp ./dist/grafana-agent-windows-amd64.exe ./packaging/grafana-agent/windows
 	cp LICENSE ./packaging/grafana-agent/windows
-	# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
+	# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
 	"mkdir" -p dist
 	makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-installer.exe" ./packaging/grafana-agent/windows/install_script.nsis
 endif
@@ -410,7 +410,7 @@ dist-agent-flow-installer: dist.temp/grafana-agent-flow-windows-amd64.exe dist.t
 ifeq ($(USE_CONTAINER),1)
 	$(RERUN_IN_CONTAINER)
 else
-	# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
+	# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
 	"mkdir" -p dist
 	makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-flow-installer.exe" ./packaging/grafana-agent-flow/windows/install_script.nsis
 endif