Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set permissions on the Grafana Agent [Flow] folder... #6540

Merged
merged 9 commits into from
Feb 29, 2024
Merged

Set permissions on the Grafana Agent [Flow] folder... #6540

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2735625
Set permissions on the folder when installing via the windows instal…
erikbaranowski Feb 27, 2024
5e2c68f
Merge branch 'main' into windows-installer-security-fix
erikbaranowski Feb 27, 2024
4b4e649
Update CHANGELOG.md
erikbaranowski Feb 27, 2024
187664c
Merge branch 'main' into windows-installer-security-fix
erikbaranowski Feb 28, 2024
3bef120
Update the build image with the nsis plugin instead of installing it …
erikbaranowski Feb 29, 2024
098b6bc
Merge branch 'windows-installer-security-fix' of https://github.com/g…
erikbaranowski Feb 29, 2024
25ebb1b
Update build image version
erikbaranowski Feb 29, 2024
8d91657
Merge branch 'main' into windows-installer-security-fix
erikbaranowski Feb 29, 2024
df586be
remote build image changes from this PR
erikbaranowski Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ Main (unreleased)
- Added a new CLI flag `--stability.level` which defines the minimum stability
level required for the features that the agent is allowed to use. Default is `experimental`. (@thampiotr)

### Bugfixes

- Set permissions on the `Grafana Agent [Flow]` folder when installing via the
windows installer rather than relying on the parent folder permissions. (@erikbaranowski)

v0.40.0 (2024-02-27)
--------------------
Expand Down Expand Up @@ -3878,7 +3882,7 @@ v0.1.0 (2020-03-16)

> First release!

### Features
### Featuresgit status
erikbaranowski marked this conversation as resolved.
Show resolved Hide resolved

- Support for scraping Prometheus metrics and sharding the agent through the
presence of a `host_filter` flag within the Agent configuration file.
Expand Down
15 changes: 15 additions & 0 deletions packaging/grafana-agent-flow/windows/install_script.nsis
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ Section "install"
# Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
nsExec::ExecToLog `sc failure "Grafana Agent Flow" reset= 60 actions= restart/5000 reboot= "Grafana Agent Flow has failed. Restarting in 5 seconds"`
Pop $0

Call SetFolderPermissions
SectionEnd

Function CreateConfig
Expand Down Expand Up @@ -164,6 +166,19 @@ Function InitializeRegistry
Return
FunctionEnd

Function SetFolderPermissions
# Set permissions on the install directory
SetOutPath $INSTDIR
AccessControl::DisableFileInheritance $INSTDIR
AccessControl::SetFileOwner $INSTDIR "Administrators"
AccessControl::ClearOnFile $INSTDIR "Administrators" "FullAccess"
AccessControl::SetOnFile $INSTDIR "SYSTEM" "FullAccess"
AccessControl::GrantOnFile $INSTDIR "Everyone" "ListDirectory"
AccessControl::GrantOnFile $INSTDIR "Everyone" "GenericExecute"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GenericExecute sounds scary?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also hate that GrantOnFile is both file and directory, made me look up the docs on this.

AccessControl::GrantOnFile $INSTDIR "Everyone" "GenericRead"
AccessControl::GrantOnFile $INSTDIR "Everyone" "ReadAttributes"
FunctionEnd

# Automatically called when uninstalling.
Function un.onInit
SetShellVarContext all
Expand Down
15 changes: 15 additions & 0 deletions packaging/grafana-agent/windows/install_script.nsis
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ Function Install
# Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
nsExec::ExecToLog `sc failure "Grafana Agent" reset= 60 actions= restart/5000 reboot= "Grafana Agent has failed. Restarting in 5 seconds"`
Pop $0

Call SetFolderPermissions
FunctionEnd

Function WriteConfig
Expand Down Expand Up @@ -189,6 +191,19 @@ Function WriteConfig
Return
FunctionEnd

Function SetFolderPermissions
# Set permissions on the install directory
SetOutPath $INSTDIR
AccessControl::DisableFileInheritance $INSTDIR
AccessControl::SetFileOwner $INSTDIR "Administrators"
AccessControl::ClearOnFile $INSTDIR "Administrators" "FullAccess"
AccessControl::SetOnFile $INSTDIR "SYSTEM" "FullAccess"
AccessControl::GrantOnFile $INSTDIR "Everyone" "ListDirectory"
AccessControl::GrantOnFile $INSTDIR "Everyone" "GenericExecute"
AccessControl::GrantOnFile $INSTDIR "Everyone" "GenericRead"
AccessControl::GrantOnFile $INSTDIR "Everyone" "ReadAttributes"
FunctionEnd

# Uninstaller
Function un.onInit
SetShellVarContext all
Expand Down
6 changes: 4 additions & 2 deletions tools/make/packaging.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,8 +388,9 @@ ifeq ($(USE_CONTAINER),1)
else
cp ./dist/grafana-agent-windows-amd64.exe ./packaging/grafana-agent/windows
cp LICENSE ./packaging/grafana-agent/windows
# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
"mkdir" -p dist
curl -O https://nsis.sourceforge.io/mediawiki/images/4/4a/AccessControl.zip && unzip AccessControl.zip -d /usr/share/nsis/ && cp /usr/share/nsis/Plugins/i386-unicode/AccessControl.dll /usr/share/nsis/Plugins/x86-unicode/
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can probably be done in the build image instead.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels semi reasonable :)

makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-installer.exe" ./packaging/grafana-agent/windows/install_script.nsis
endif

Expand All @@ -398,7 +399,8 @@ dist-agent-flow-installer: dist.temp/grafana-agent-flow-windows-amd64.exe dist.t
ifeq ($(USE_CONTAINER),1)
$(RERUN_IN_CONTAINER)
else
# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
"mkdir" -p dist
curl -O https://nsis.sourceforge.io/mediawiki/images/4/4a/AccessControl.zip && unzip AccessControl.zip -d /usr/share/nsis/ && cp /usr/share/nsis/Plugins/i386-unicode/AccessControl.dll /usr/share/nsis/Plugins/x86-unicode/
makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-flow-installer.exe" ./packaging/grafana-agent-flow/windows/install_script.nsis
endif
Loading