Merge branch '8.x' into mergify/bp/8.x/pr-6384

NOTICE.txt

@@ -1319,11 +1319,11 @@ SOFTWARE
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/elastic-agent-libs
-Version: v0.17.4
+Version: v0.17.5
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected].4/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected].5/LICENSE:
 
                                  Apache License
                            Version 2.0, January 2004
@@ -1952,11 +1952,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-transpo
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/go-elasticsearch/v8
-Version: v8.16.0
+Version: v8.17.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/go-elasticsearch/v8@v8.16.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/go-elasticsearch/v8@v8.17.0/LICENSE:
 
                                  Apache License
                            Version 2.0, January 2004

changelog/fragments/1732656422-add-actionable-error-message-for-enroll-command.yaml

@@ -0,0 +1,31 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Elastic agent returns an actionable error message when a the use trying to execute the enroll command is not the same as the onwer of the elastic-agent program files
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/6144
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4889

go.mod

@@ -16,10 +16,10 @@ require (
 	github.com/elastic/beats/v7 v7.0.0-alpha2.0.20241202144630-0eb63c16f21a
 	github.com/elastic/elastic-agent-autodiscover v0.9.0
 	github.com/elastic/elastic-agent-client/v7 v7.17.0
-	github.com/elastic/elastic-agent-libs v0.17.4
+	github.com/elastic/elastic-agent-libs v0.17.5
 	github.com/elastic/elastic-agent-system-metrics v0.11.4
 	github.com/elastic/elastic-transport-go/v8 v8.6.0
-	github.com/elastic/go-elasticsearch/v8 v8.16.0
+	github.com/elastic/go-elasticsearch/v8 v8.17.0
 	github.com/elastic/go-licenser v0.4.2
 	github.com/elastic/go-sysinfo v1.15.0
 	github.com/elastic/go-ucfg v0.8.8

go.sum

@@ -444,8 +444,8 @@ github.com/elastic/elastic-agent-autodiscover v0.9.0 h1:+iWIKh0u3e8I+CJa3FfWe9h0
 github.com/elastic/elastic-agent-autodiscover v0.9.0/go.mod h1:5iUxLHhVdaGSWYTveSwfJEY4RqPXTG13LPiFoxcpFd4=
 github.com/elastic/elastic-agent-client/v7 v7.17.0 h1:TPLrEHF4kJ3RkmQzZPffrniY4WeW4vriHZbOAzM1hFo=
 github.com/elastic/elastic-agent-client/v7 v7.17.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI=
-github.com/elastic/elastic-agent-libs v0.17.4 h1:kWK5Kn2EQjM97yHqbeXv+cFAIti4IiI9Qj8huM+lZzE=
-github.com/elastic/elastic-agent-libs v0.17.4/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+github.com/elastic/elastic-agent-libs v0.17.5 h1:oyv5BohMia+49tZnsOmTyRWp5LoZbH8iOmGa7c4TqTs=
+github.com/elastic/elastic-agent-libs v0.17.5/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
 github.com/elastic/elastic-agent-system-metrics v0.11.4 h1:Z/8CML5RKvGpi6/QUFok1K3EriBAv2kUAXnsk8hCifk=
 github.com/elastic/elastic-agent-system-metrics v0.11.4/go.mod h1:TTW2ysv78uHBQ68hG8TXiaX1m6f29ZHgGWb8XONYsU8=
 github.com/elastic/elastic-transport-go/v8 v8.6.0 h1:Y2S/FBjx1LlCv5m6pWAF2kDJAHoSjSRSJCApolgfthA=
@@ -458,8 +458,8 @@ github.com/elastic/go-docappender/v2 v2.3.2 h1:FJhYgq2DpCaxGaZUquc75dauEzWTWOyWU
 github.com/elastic/go-docappender/v2 v2.3.2/go.mod h1:5URybRUfmexRMtM/lwvcIRLje3Gsrj15qiiLm41gDrc=
 github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo=
 github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4=
-github.com/elastic/go-elasticsearch/v8 v8.16.0 h1:f7bR+iBz8GTAVhwyFO3hm4ixsz2eMaEy0QroYnXV3jE=
-github.com/elastic/go-elasticsearch/v8 v8.16.0/go.mod h1:lGMlgKIbYoRvay3xWBeKahAiJOgmFDsjZC39nmO3H64=
+github.com/elastic/go-elasticsearch/v8 v8.17.0 h1:e9cWksE/Fr7urDRmGPGp47Nsp4/mvNOrU8As1l2HQQ0=
+github.com/elastic/go-elasticsearch/v8 v8.17.0/go.mod h1:lGMlgKIbYoRvay3xWBeKahAiJOgmFDsjZC39nmO3H64=
 github.com/elastic/go-grok v0.3.1 h1:WEhUxe2KrwycMnlvMimJXvzRa7DoByJB4PVUIE1ZD/U=
 github.com/elastic/go-grok v0.3.1/go.mod h1:n38ls8ZgOboZRgKcjMY8eFeZFMmcL9n2lP0iHhIDk64=
 github.com/elastic/go-licenser v0.4.2 h1:bPbGm8bUd8rxzSswFOqvQh1dAkKGkgAmrPxbUi+Y9+A=

internal/pkg/agent/cmd/enroll.go

@@ -351,6 +351,24 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 
 	fromInstall, _ := cmd.Flags().GetBool(fromInstallArg)
 
+	hasRoot, err := utils.HasRoot()
+	if err != nil {
+		return fmt.Errorf("checking if running with root/Administrator privileges: %w", err)
+	}
+	if hasRoot && !fromInstall {
+		binPath, err := os.Executable()
+		if err != nil {
+			return fmt.Errorf("error while getting executable path: %w", err)
+		}
+		isOwner, err := isOwnerExec(binPath)
+		if err != nil {
+			return fmt.Errorf("ran into an error while figuring out if user is allowed to execute the enroll command: %w", err)
+		}
+		if !isOwner {
+			return UserOwnerMismatchError
+		}
+	}
+
 	pathConfigFile := paths.ConfigFile()
 	rawConfig, err := config.LoadFile(pathConfigFile)
 	if err != nil {
@@ -525,7 +543,6 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 		pathConfigFile,
 		store,
 	)
-
 	if err != nil {
 		return err
 	}

internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

@@ -0,0 +1,59 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build !windows
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"syscall"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/errors"
+)
+
+var UserOwnerMismatchError = errors.New("the command is executed as root but the program files are not owned by the root user. execute the command as the user that owns the program files")
+
+func getFileOwner(filePath string) (string, error) {
+	fileInfo, err := os.Stat(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to get file info: %w", err)
+	}
+
+	stat, ok := fileInfo.Sys().(*syscall.Stat_t)
+	if !ok {
+		return "", fmt.Errorf("failed to get system specific file info: %w", err)
+	}
+	return strconv.Itoa(int(stat.Uid)), nil
+}
+
+func getCurrentUser() (string, error) {
+	return strconv.Itoa(os.Geteuid()), nil
+}
+
+func isFileOwner(curUser string, fileOwner string) (bool, error) {
+	return curUser == fileOwner, nil
+}
+
+// Checks if the provided file is owned by the user that initiated the process
+func isOwnerExec(filePath string) (bool, error) {
+	owner, err := getFileOwner(filePath)
+	if err != nil {
+		return false, fmt.Errorf("failed to get file owner: %w", err)
+	}
+
+	curUser, err := getCurrentUser()
+	if err != nil {
+		return false, fmt.Errorf("failed to get current user: %w", err)
+	}
+
+	isOwner, err := isFileOwner(curUser, owner)
+	if err != nil {
+		return false, fmt.Errorf("error while checking if current user is the file owner: %w", err)
+	}
+
+	return isOwner, nil
+}

internal/pkg/agent/cmd/enroll_match_fileowner_unix_test.go

@@ -0,0 +1,28 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build !windows
+
+package cmd
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsOwnerExecUnix(t *testing.T) {
+	path := t.TempDir()
+	fp := filepath.Join(path, "testfile")
+	fi, err := os.Create(fp)
+	require.NoError(t, err)
+	defer fi.Close()
+
+	isOwner, err := isOwnerExec(fp)
+	require.NoError(t, err)
+
+	require.True(t, isOwner)
+}

internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

@@ -0,0 +1,92 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build windows
+
+package cmd
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/errors"
+)
+
+var UserOwnerMismatchError = errors.New("the command is executed as root but the program files are not owned by the root user.")
+
+func getFileOwner(filePath string) (string, error) {
+	// Get security information of the file
+	sd, err := windows.GetNamedSecurityInfo(
+		filePath,
+		windows.SE_FILE_OBJECT,
+		windows.OWNER_SECURITY_INFORMATION,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to get security info: %w", err)
+	}
+	owner, _, err := sd.Owner()
+	if err != nil {
+		return "", fmt.Errorf("failed to get security descriptor owner: %w", err)
+	}
+
+	return owner.String(), nil
+}
+
+// Helper to get the current user's SID
+func getCurrentUser() (string, error) {
+	// Get the token for the current process
+	var token windows.Token
+	err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &token)
+	if err != nil {
+		return "", fmt.Errorf("failed to open process token: %w", err)
+	}
+	defer token.Close()
+
+	// Get the token use
+	tokenUser, err := token.GetTokenUser()
+	if err != nil {
+		return "", fmt.Errorf("failed to get token user: %w", err)
+	}
+
+	return tokenUser.User.Sid.String(), nil
+}
+
+func isFileOwner(curUser string, fileOwner string) (bool, error) {
+	var cSid *windows.SID
+	err := windows.ConvertStringSidToSid(windows.StringToUTF16Ptr(curUser), &cSid)
+	if err != nil {
+		return false, fmt.Errorf("failed to convert user SID string to SID: %w", err)
+	}
+
+	var fSid *windows.SID
+	err = windows.ConvertStringSidToSid(windows.StringToUTF16Ptr(fileOwner), &fSid)
+	if err != nil {
+		return false, fmt.Errorf("failed to convert file SID string to SID: %w", err)
+	}
+
+	isEqual := fSid.Equals(cSid)
+
+	return isEqual, nil
+}
+
+// Checks if the provided file is owned by the user that initiated the process
+func isOwnerExec(filePath string) (bool, error) {
+	fileOwner, err := getFileOwner(filePath)
+	if err != nil {
+		return false, fmt.Errorf("getting file owner: %w", err)
+	}
+
+	user, err := getCurrentUser()
+	if err != nil {
+		return false, fmt.Errorf("ran into an error while retrieving current user: %w", err)
+	}
+
+	isOwner, err := isFileOwner(user, fileOwner)
+	if err != nil {
+		return false, fmt.Errorf("error while checking if current user is the file owner: %w", err)
+	}
+
+	return isOwner, nil
+}

internal/pkg/agent/cmd/enroll_match_fileowner_windows_test.go

@@ -0,0 +1,52 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build windows
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/windows"
+)
+
+func TestIsOwnerExecWindows(t *testing.T) {
+	path := t.TempDir()
+	fp := filepath.Join(path, "testfile")
+	fi, err := os.Create(fp)
+	require.NoError(t, err)
+	defer fi.Close()
+
+	var token windows.Token
+	err = windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &token)
+	require.NoError(t, err)
+	defer token.Close()
+
+	tokenUser, err := token.GetTokenUser()
+	require.NoError(t, err)
+
+	err = windows.SetNamedSecurityInfo(
+		fp,
+		windows.SE_FILE_OBJECT,
+		windows.OWNER_SECURITY_INFORMATION,
+		tokenUser.User.Sid,
+		nil,
+		nil,
+		nil,
+	)
+	require.NoError(t, err)
+
+	require.NoError(t, err)
+	defer fi.Close()
+
+	isOwner, err := isOwnerExec(fp)
+	require.NoError(t, err)
+
+	require.True(t, isOwner, fmt.Sprintf("expected isOwnerExec to return \"true\", received \"%v\"", isOwner))
+}