scalyr
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 6 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 6 deletions
diff --git a/‎RELEASE_NOTES.md‎
Lines changed: 0 additions & 51 deletions b/‎RELEASE_NOTES.md‎
Lines changed: 0 additions & 51 deletions
diff --git a/‎build_package.py‎
Lines changed: 3 additions & 29 deletions b/‎build_package.py‎
Lines changed: 3 additions & 29 deletions
diff --git a/‎installer/scripts/postinstall.sh‎
Lines changed: 5 additions & 104 deletions b/‎installer/scripts/postinstall.sh‎
Lines changed: 5 additions & 104 deletions
diff --git a/‎scalyr_agent/config_main.py‎
Lines changed: 0 additions & 36 deletions b/‎scalyr_agent/config_main.py‎
Lines changed: 0 additions & 36 deletions
@@ -1,10 +1,10 @@
 Scalyr Agent 2 Changes By Release
 =================================
 
-## 2.1.15 "Endora" - December 15, 2020
+## 2.1.15 "Endora" - December 16, 2020
 
 <!---
-Packaged by Tomaz Muraus <tomaz@scalyr.com> on Dec 2, 2020 14:00 -0800
+Packaged by Arthur Kamalov <arthur@scalyr.com> on Dec 16, 2020 14:00 -0800
 --->
 Feature:
 * Ability to upload logs to different Scalyr team accounts by specifying different API keys for different log files. See [RELEASE_NOTES](https://github.com/scalyr/scalyr-agent-2/blob/master/RELEASE_NOTES.md) for more details.
@@ -16,7 +16,6 @@ Improvements:
 
 Misc:
 * The default value for the `k8s_cri_query_filesystem` Kubernetes monitor config option (set via the `SCALYR_K8S_CRI_QUERY_FILESYSTEM` environment var) has changed to `True`. This means that by default when in CRI mode, the monitor will only query the filesystem for the list of active containers, rather than first querying the Kubelet API. If you wish to revert to the original default to prefer using the Kubelet API, set `SCALYR_K8S_CRI_QUERY_FILESYSTEM` the environment variable to "false" for the Scalyr Agent daemonset.
-* On startup and when parsing a config file, agent now emits a warning if the config file is readable by others.
 * New ``global_monitor_sample_interval_enable_jitter`` config option has been added which is enabled by default. When this option is enabled, random sleep between 2/10 and 8/10 of the configured monitor sample gather interval is used before gathering the sample for the first time. This ensures that sample gathering for all the monitors doesn't run at the same time. This comes in handy when running agent configured with many monitors on lower powered devices to spread the monitor sample gathering related load spike across a longer time frame.
 
 Bug fixes:
@@ -26,9 +25,6 @@ Bug fixes:
 * Update Windows System Metrics monitor to better handle a situation when disk io counters are not available.
 * Docker monitor has been fixed that when running in "API mode" (``docker_raw_logs: false``) it also correctly ingests logs from container ``stderr``. Previously only logs from ``stdout`` have been ingested.
 
-Security fixes and improvements:
-* Agent installation artifacts have been updated so the default ``agent.json`` file which is bundled with the agent is not readable by "other" system users by default anymore. For more context, details and impact, please see [RELEASE_NOTES](https://github.com/scalyr/scalyr-agent-2/blob/master/RELEASE_NOTES.md).
-
 ## 2.1.14 "Hydrus" - November 4, 2020
 
 <!---
 
@@ -170,57 +170,6 @@ NOTE: If the ``api_key_id`` is omitted, then the ``default`` API key is used.
    by default so if you want to specify custom options for it, you need to add
    ``implicit_metric_monitor: false,`` option to the config as well.
 
-* This release fixes default permissions for the ``agent.json`` file and ``agent.d/`` directory
-  and ``*.json`` files inside that directory and makes sure those files are not readable by
-  others by default (aka "other" permission bit in octal notation for that file is ``0`` in case
-  of a file and ``1`` in case of a directory).
-
-  In the previous releases, ``agent.json`` file was readable by others by default which means if a
-  user didn't explicitly lock down and change the permission of that file after installation,
-  other users who have access to the system where the agent is running on could potentially read
-  that file and access information such as the API key which is used to send / upload logs to
-  Scalyr.
-
-  This issue only affects users which run agent on servers with multiple users. Container
-  installations (Docker, Kubernetes) are single user by default so those are not affected.
-
-  This issue also doesn't affect any installations which use a configuration management tool such
-  as Ansible, Chef, Puppet, Terraform or similar to manage the config file content and permissions.
-
-  In fact, using configuration management tool to manage configuration file access and locking down
-  the permission is the best practice and recommended approach by us.
-
-  As part of the fix, agent will now lock down those file permissions and also fix them on upgrade
-  as part of the post install step for the existing files and installations.
-
-  If you intentionally changed "other" permission bits for any of those files to something else than
-  ``0``, you will need to change it again after installing / upgrading the agent.
-
-  If you believe you may be affected, we recommend revoking the old write API key used to send logs
-  and generating a new one.
-
-  Keep in mind that the API key used by the agent is a write one which only has access to send logs
-  and nothing else.
-
-  It's also worth noting that this only affects agent.json file bundled with the default agent
-  installation. If you manually removed that file and created a new one, that is out of the agent
-  scope and domain of ``umask`` on Linux.
-
-  On Windows, permissions are not rectified automatically because some users run the agent under a
-  custom non-Administrator user account so automatically fixing the permissions would break this
-  scenario.
-
-  In this case, user can manually run ``scalyr-agent-2-config.exe`` as administrator to revoke
-  permissions for "Users" group for the agent config.
-
-  ```powershell
-  & "C:\Program Files (x86)\Scalyr\config\scalyr-agent-2-config.exe" "--fix-config-permissions"
-  ```
-
-  Keep in mind that after running this script you need to use Administrator account to grant read
-  permissions to user account which is used to run the agent in case this user is not Administrator
-  or not a member of Administrators group.
-
 ## 2.1.8 "Titan" - August 3, 2020
 
 * The `status -v` and the new `status -H` command contain health check information and will have a return code
 
@@ -294,13 +294,11 @@ def build_win32_installer_package(variant, version):
     )
 
     # Copy the config file.
-    agent_json_path = make_path(agent_source_root, "config/agent.json")
     cat_files(
-        [agent_json_path], "agent_config.tmpl", convert_newlines=True,
+        [make_path(agent_source_root, "config/agent.json")],
+        "agent_config.tmpl",
+        convert_newlines=True,
     )
-    # NOTE: We in intentionally set this permission bit for agent.json to make sure it's not
-    # readable by others.
-    os.chmod(agent_json_path, int("640", 8))
 
     os.chdir("..")
     # We need to place a 'setup.py' here so that when we executed py2exe it finds it.
@@ -340,10 +338,6 @@ def build_win32_installer_package(variant, version):
     make_directory("Scalyr/logs")
     make_directory("Scalyr/data")
     make_directory("Scalyr/config/agent.d")
-    # NOTE: We in intentionally set this permission bit for agent.d directory to make sure it's not
-    # readable by others.
-    os.chmod("Scalyr/config/agent.d", int("741", 8))
-
     os.rename(os.path.join("dist", "scalyr-agent-2"), convert_path("Scalyr/bin"))
     shutil.copy(
         make_path(agent_source_root, "win32/ScalyrShell.cmd"),
@@ -591,9 +585,6 @@ def build_common_docker_and_package_files(create_initd_link, base_configs=None):
 
     # Make sure there is an agent.d directory regardless of the config directory we used.
     make_directory("root/etc/scalyr-agent-2/agent.d")
-    # NOTE: We in intentionally set this permission bit for agent.d directory to make sure it's not
-    # readable by others.
-    os.chmod("root/etc/scalyr-agent-2/agent.d", int("741", 8))
 
     # Create the links to the appropriate commands in /usr/sbin and /etc/init.d/
     if create_initd_link:
@@ -843,16 +834,6 @@ def build_rpm_or_deb_package(is_rpm, variant, version):
         "  --directories /usr/share/scalyr-agent-2 "
         "  --directories /var/lib/scalyr-agent-2 "
         "  --directories /var/log/scalyr-agent-2 "
-        # NOTE: By default fpm won't preserve all the permissions we set on the files so we need
-        # to use those flags.
-        # If we don't do that, fpm will use 77X for directories and we don't really want 7 for
-        # "group"
-        "  --rpm-use-file-permissions --deb-use-file-permissions "
-        # NOTE: Sadly we can't use defattrdir since it breakes permissions for some other
-        # directories such as /etc/init.d and we need to handle that in postinst :/
-        # "  --rpm-auto-add-directories "
-        # "  --rpm-defattrfile 640"
-        # "  --rpm-defattrdir 751"
         "  -C root usr etc var" % (package_type, version, iteration_arg, description),
         exit_on_fail=True,
         command_name="fpm",
@@ -892,9 +873,6 @@ def build_tarball_package(variant, version, no_versioned_file_name):
     make_directory("scalyr-agent-2/data")
     make_directory("scalyr-agent-2/log")
     make_directory("scalyr-agent-2/config/agent.d")
-    # NOTE: We in intentionally set this permission bit for agent.d directory to make sure it's not
-    # readable by others.
-    os.chmod("scalyr-agent-2/config/agent.d", int("741", 8))
 
     # Create a file named packageless.  This signals to the agent that
     # this a tarball install instead of an RPM/Debian install, which changes
@@ -1019,12 +997,8 @@ def build_base_files(base_configs="config"):
         config_path = base_configs
     else:
         config_path = "config"
-
     shutil.copytree(make_path(agent_source_root, config_path), "config")
 
-    # Make sure config file has 640 permissions
-    os.chmod("config/agent.json", int("640", 8))
-
     # Create the trusted CA root list.
     os.chdir("certs")
     cat_files(
 
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+
+
 # Used below to execute a command to retrieve the Python interpreter version.
 run_and_check_persion_version() {
   command=$1
@@ -78,120 +80,19 @@ check_python_version() {
   echo "Warning, no valid Python interpreter found."
 }
 
-# Function which ensures that the provided file path permissions for "group" match the
-# provided permission bit in octal notation.
-# This function can operate on a file or on a directory.
-ensure_path_group_permissions() {
-  file_path=$1
-  wanted_permissions_group=$2
-
-  if [ "${wanted_permissions_group}" -lt 0 ] || [ "${wanted_permissions_group}" -gt 7 ]; then
-    echo "wanted_permissions_group value needs to be between 0 and 7"
-    return 1
-  fi
-
-  # Will output permissions on octal mode - xyz, e.g. 644
-  file_permissions=$(stat -c %a "${file_path}")
-  # Permissions for owner - e.g. 6
-  file_permissions_owner=$(echo -n "$file_permissions" | head -c 1)
-  # Permissions for group - e.g. 4
-  file_permissions_group=$(echo -n "$file_permissions" | head -c 2 | tail -c 1)
-  # Permissions for other - e.g. 4
-  file_permissions_others=$(echo -n "$file_permissions" | tail -c 1)
-
-  # NOTE: We re-use existing fs permissions for owner and other
-  if [ "${file_permissions_group}" -ne "${wanted_permissions_group}" ]; then
-    new_permissions="${file_permissions_owner}${wanted_permissions_group}${file_permissions_others}"
-    echo "Changing permissions for file ${file_path} from \"${file_permissions}\" to \"${new_permissions}\"."
-
-    # NOTE: On CI chmod sometimes fails with 'getpwuid(): uid not found: 1001' which is likely
-    # related to some unfinished provisioning on the CI or similar. We simply ignore any
-    # errors returned by chmod.
-    set +e
-    set +o pipefail
-    chmod "${new_permissions}" "${file_path}" > /dev/null 2>&1 || true;
-    set -e
-    set -o pipefail
-  fi
-}
-
-# Function which ensures that the provided file path permissions for "other" users match the
-# provided permission bit in octal notation.
-# This function can operate on a file or on a directory.
-ensure_path_other_permissions() {
-  file_path=$1
-  wanted_permissions_other=$2
-
-  if [ "${wanted_permissions_other}" -lt 0 ] || [ "${wanted_permissions_other}" -gt 7 ]; then
-    echo "wanted_permissions_other value needs to be between 0 and 7"
-    return 1
-  fi
-
-  # Will output permissions on octal mode - xyz, e.g. 644
-  file_permissions=$(stat -c %a "${file_path}")
-  # Permissions for owner and group - e.g. 644
-  file_permissions_owner_group=$(echo -n "$file_permissions" | head -c 2)
-  # Permissions for other - e.g. 4
-  file_permissions_others=$(echo -n "$file_permissions" | tail -c 1)
-
-  # NOTE: We re-use existing fs permissions for owner and group
-  if [ "${file_permissions_others}" -ne "${wanted_permissions_other}" ]; then
-    new_permissions="${file_permissions_owner_group}${wanted_permissions_other}"
-    echo "Changing permissions for file ${file_path} from \"${file_permissions}\" to \"${new_permissions}\"."
-
-    # NOTE: On CI chmod sometimes fails with 'getpwuid(): uid not found: 1001' which is likely
-    # related to some unfinished provisioning on the CI or similar. We simply ignore any
-    # errors returned by chmod.
-    set +e
-    set +o pipefail
-    chmod "${new_permissions}" "${file_path}" > /dev/null 2>&1 || true;
-    set -e
-    set -o pipefail
-  fi
-}
-
-# Function which ensures that the provided file path is not readable by "other" users aka has
-# "0" value for permission in the octal notation. If permissions don't match, we update them
-# and ensure value for the user part is "0".
-# This function can operate on a file or on a directory.
-ensure_path_not_readable_by_others() {
-  file_path=$1
-  ensure_path_other_permissions "${file_path}" "0"
-}
-
 check_python_version
 
-config_owner=$(stat -c %U /etc/scalyr-agent-2/agent.json)
-script_owner=$(stat -c %U /usr/share/scalyr-agent-2/bin/scalyr-agent-2)
+config_owner=`stat -c %U /etc/scalyr-agent-2/agent.json`
+script_owner=`stat -c %U /usr/share/scalyr-agent-2/bin/scalyr-agent-2`
 
 # Determine if the agent had been previously configured to run as a
-# different user than root.  We can determine this if agent.json
+# different user than root.  We can determine this if agentConfig.json
 # has a different user.  If so, then make sure the newly installed files
 # (like agent.sh) are changed to the correct owners.
 if [ "$config_owner" != "$script_owner" ]; then
-  echo "Changing owner for /etc/scalyr-agent-2/agent.json file from $script_owner to $config_owner"
   /usr/share/scalyr-agent-2/bin/scalyr-agent-2-config --set_user "$config_owner" > /dev/null 2>&1;
 fi
 
-# Ensure /etc/scalyr-agent-2/agent.json file is not readable by others
-ensure_path_not_readable_by_others "/etc/scalyr-agent-2/agent.json"
-
-# We also change agent.d group permissions to 751 since it used to be 771 due to default fpm behavior
-ensure_path_group_permissions "/etc/scalyr-agent-2/agent.d" "5"
-
-# Ensure agent.d/*.json files are note readable by others
-# NOTE: Most software gives +x bit on *.d directories so we do the same
-ensure_path_other_permissions "/etc/scalyr-agent-2/agent.d" "1"
-
-if [ -d "/etc/scalyr-agent-2/agent.d" ]; then
-  # NOTE: find + -print0 correctly handles whitespaces in  filenames and it's more robust than for,
-  # but it may have cross platform issues. In that case we may need to revert to for.
-  #for config_fragment_path in /etc/scalyr-agent-2/agent.d/*.json; do
-  find /etc/scalyr-agent-2/agent.d/ -name "*.json" -print0 | while read -r -d $'\0' config_fragment_path; do
-    ensure_path_not_readable_by_others "${config_fragment_path}"
-  done
-fi
-
 # Add in the symlinks in the appropriate /etc/rcX.d/ directories
 # to stop and start the service at boot time.
 if [ -f /sbin/chkconfig ] || [ -f /usr/sbin/chkconfig ]; then
 
@@ -81,7 +81,6 @@
 from scalyr_agent.platform_controller import PlatformController
 from scalyr_agent import compat
 
-from scalyr_agent.util import win_remove_user_file_path_permissions
 import scalyr_agent.util as scalyr_util
 
 
@@ -1432,23 +1431,6 @@ def make_symlink(source, target):
             help="Starts the agent if the conditional restart file marker exists.",
         )
 
-        if sys.platform.startswith("win"):
-            # Special flag which is used by the Windows installer. We use it to indicate to this binary
-            # to fix up permissions for agent.json file and agent.d/ directory. This file is also used
-            # to create initial config by the install which means we can't correctly set those
-            # permissions inside the .wxs wix spec file.
-            # Right now it can only be used with "--init-config" flag on Windows.
-            parser.add_option(
-                "",
-                "--fix-config-permissions",
-                dest="fix_config_permissions",
-                action="store_true",
-                default=False,
-                help=(
-                    "Fix permissions for agent.json file and agent.d/ directory and make sure it's. "
-                    "not readable by others. Applies to Windows only."
-                ),
-            )
     (options, args) = parser.parse_args()
     if len(args) > 1:
         print("Could not parse commandline arguments.", file=sys.stderr)
@@ -1543,24 +1525,6 @@ def make_symlink(source, target):
 
     controller.consume_config(config_file, options.config_filename)
 
-    if sys.platform.startswith("win") and options.fix_config_permissions:
-        print(
-            "Changing permissions for agent.json and agent.d and making sure it's not readable "
-            "by Users"
-        )
-
-        config_path = options.config_filename
-        configs_directory = os.path.dirname(config_path)
-        agent_json_path = os.path.join(configs_directory, "agent.json")
-        agent_d_path = os.path.join(configs_directory, "agent.d")
-
-        win_remove_user_file_path_permissions(
-            file_path=agent_json_path, username="Users"
-        )
-        win_remove_user_file_path_permissions(file_path=agent_d_path, username="Users")
-
-        print("Permissions updated.")
-
     # See if we have to start the agent.  This is only used by Windows right now as part of its install process.
     if sys.platform.startswith("win") and options.mark_conditional_restart:
         mark_conditional_restart(controller, config_file)