Feature Proposal: Omnibus Configuration to Adjust the Permissions on Log Folders and Files
Problem
When running the fluentd agent to gather logs in an environment created by GET, currently it must be run as root in order to avoid permissions issues. However, this violates the principle of least privilege and opens up potential attack vectors.
Proposed Solution
To solve this problem, we propose adding functionality allowing Omnibus to be configured to adjust permissions on log folders and files to provide other users access for scraping.
This will allow us to securely run td-agent/fluentd on VMs without needing root permission.
Please let us know if this falls under Omnibus' scope or whether this change should be made somewhere in the GitLab application.
#6731 (comment 1096287097))
Implementation proposal (from- For each service, have
log_user
andlog_group
settings. Default values for these will be the current ownership of log directories. - Log directories will be created with ownership set to the values of these settings.
-
svlogd
will be run bychpst
ing into this user/group. - For the usecase mentioned in issue description, the user as which external services (fluentd/td-agent) runs can be added to the specified group and thus gain access to logs.
Edited by Balasankar 'Balu' C