Set permissions on the Grafana Agent [Flow] folder... (grafana#6540)

* Set permissions on the folder when installing via the windows installer rather than relying on the parent folder permissions. Signed-off-by: erikbaranowski <39704712+erikbaranowski@users.noreply.github.com> --------- Signed-off-by: erikbaranowski <39704712+erikbaranowski@users.noreply.github.com> (cherry picked from commit 9e4d3b5)
rfratto · Mar 5, 2024 · ed96e88 · ed96e88
1 parent 048c587
commit ed96e88
Show file tree

Hide file tree

Showing 11 changed files with 99 additions and 66 deletions.
diff --git a/.drone/drone.yml b/.drone/drone.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ v0.40.1 (2024-02-27)
 
 ### Bugfixes
 
+- Set permissions on the `Grafana Agent [Flow]` folder when installing via the
+  windows installer rather than relying on the parent folder permissions. (@erikbaranowski)
+
 - Fix an issues where the logging config block would trigger an error when trying to send logs to components that were not running. (@wildum)
 
 - Fix an issue where a custom component might be wired to a local declare instead of an import declare when they have the same label. (@wildum)

diff --git a/cmd/grafana-agent-operator/Dockerfile b/cmd/grafana-agent-operator/Dockerfile
@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.30.4 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

diff --git a/cmd/grafana-agent/Dockerfile b/cmd/grafana-agent/Dockerfile
@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.30.4 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

diff --git a/cmd/grafana-agent/Dockerfile.windows b/cmd/grafana-agent/Dockerfile.windows
@@ -1,4 +1,4 @@
-FROM grafana/agent-build-image:0.30.4-windows as builder
+FROM grafana/agent-build-image:0.33.0-windows as builder
 ARG VERSION
 ARG RELEASE_BUILD=1
 

diff --git a/cmd/grafana-agentctl/Dockerfile b/cmd/grafana-agentctl/Dockerfile
@@ -4,7 +4,7 @@
 # default when running `docker buildx build` or when DOCKER_BUILDKIT=1 is set
 # in environment variables.
 
-FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.30.4 as build
+FROM --platform=$BUILDPLATFORM grafana/agent-build-image:0.33.0 as build
 ARG BUILDPLATFORM
 ARG TARGETPLATFORM
 ARG TARGETOS

diff --git a/cmd/grafana-agentctl/Dockerfile.windows b/cmd/grafana-agentctl/Dockerfile.windows
@@ -1,4 +1,4 @@
-FROM grafana/agent-build-image:0.30.4-windows as builder
+FROM grafana/agent-build-image:0.33.0-windows as builder
 ARG VERSION
 ARG RELEASE_BUILD=1
 

diff --git a/packaging/grafana-agent-flow/windows/install_script.nsis b/packaging/grafana-agent-flow/windows/install_script.nsis
@@ -101,6 +101,8 @@ Section "install"
   # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
   nsExec::ExecToLog `sc failure "Grafana Agent Flow" reset= 60 actions= restart/5000 reboot= "Grafana Agent Flow has failed. Restarting in 5 seconds"`
   Pop $0
+
+  Call SetFolderPermissions
 SectionEnd
 
 Function CreateConfig
@@ -164,6 +166,19 @@ Function InitializeRegistry
   Return
 FunctionEnd
 
+Function SetFolderPermissions
+    # Set permissions on the install directory
+    SetOutPath $INSTDIR
+    AccessControl::DisableFileInheritance $INSTDIR
+    AccessControl::SetFileOwner $INSTDIR "Administrators"
+    AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"
+    AccessControl::SetOnFile    $INSTDIR "SYSTEM" "FullAccess"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ListDirectory"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericExecute"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericRead"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ReadAttributes"
+FunctionEnd
+
 # Automatically called when uninstalling.
 Function un.onInit
   SetShellVarContext all

diff --git a/packaging/grafana-agent/windows/install_script.nsis b/packaging/grafana-agent/windows/install_script.nsis
@@ -155,6 +155,8 @@ Function Install
     # Auto-restart agent on failure. Reset failure counter after 60 seconds without failure
     nsExec::ExecToLog `sc failure "Grafana Agent" reset= 60 actions= restart/5000 reboot= "Grafana Agent has failed. Restarting in 5 seconds"`
     Pop $0
+
+    Call SetFolderPermissions
 FunctionEnd
 
 Function WriteConfig
@@ -189,6 +191,19 @@ Function WriteConfig
         Return
 FunctionEnd
 
+Function SetFolderPermissions
+    # Set permissions on the install directory
+    SetOutPath $INSTDIR
+    AccessControl::DisableFileInheritance $INSTDIR
+    AccessControl::SetFileOwner $INSTDIR "Administrators"
+    AccessControl::ClearOnFile  $INSTDIR "Administrators" "FullAccess"
+    AccessControl::SetOnFile    $INSTDIR "SYSTEM" "FullAccess"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ListDirectory"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericExecute"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "GenericRead"
+    AccessControl::GrantOnFile  $INSTDIR "Everyone" "ReadAttributes"
+FunctionEnd
+
 # Uninstaller
 Function un.onInit
     SetShellVarContext all

diff --git a/tools/make/build-container.mk b/tools/make/build-container.mk
@@ -34,7 +34,7 @@
 # variable names should be passed through to the container.
 
 USE_CONTAINER       ?= 0
-BUILD_IMAGE_VERSION ?= 0.31.0
+BUILD_IMAGE_VERSION ?= 0.33.0
 BUILD_IMAGE         ?= grafana/agent-build-image:$(BUILD_IMAGE_VERSION)
 DOCKER_OPTS         ?= -it
 

diff --git a/tools/make/packaging.mk b/tools/make/packaging.mk
@@ -388,7 +388,7 @@ ifeq ($(USE_CONTAINER),1)
 else
 	cp ./dist/grafana-agent-windows-amd64.exe ./packaging/grafana-agent/windows
 	cp LICENSE ./packaging/grafana-agent/windows
-	# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
+	# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
 	"mkdir" -p dist
 	makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-installer.exe" ./packaging/grafana-agent/windows/install_script.nsis
 endif
@@ -398,7 +398,7 @@ dist-agent-flow-installer: dist.temp/grafana-agent-flow-windows-amd64.exe dist.t
 ifeq ($(USE_CONTAINER),1)
 	$(RERUN_IN_CONTAINER)
 else
-	# quotes around mkdir are manadory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
+	# quotes around mkdir are mandatory. ref: https://github.com/grafana/agent/pull/5664#discussion_r1378796371
 	"mkdir" -p dist
 	makensis -V4 -DVERSION=$(VERSION) -DOUT="../../../dist/grafana-agent-flow-installer.exe" ./packaging/grafana-agent-flow/windows/install_script.nsis
 endif