logstash-plugins/logstash-output-csv

clarify file_mode and dir_mode

colinsurprenant opened this issue · 0 comments

colinsurprenant commented

Retranscripting a user's investigation:

Under documentation for CSV is a documentation for file_mode:
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-csv.html#plugins-outputs-csv-file_mode
There is the sentence:
File access mode to use. Note that due to the bug in jruby system umask is ignored on linux: jruby/jruby#3426 Setting it to -1 uses default OS value. Example: "file_mode" => 0640

In my opinion this documentation about file_mode and dir_mode as well is not true.
I did some tests with filemask:
/usr/share/logstash/bin/logstash --config.string 'input { stdin { } } output { csv { path => "/usr/share/logstash/00359402.csv" fields => "message" file_mode => 0000 } }' --log.level=debug

And result was this table:
0000 ----------.
0001 ---------x.
0002 ----------.
0003 ---------x.
0004 -------r--.
0005 -------r-x.
0006 -------r--.
0007 -------r-x.
Under RHEL7 umask for root is 0022.

I found this documentation about the ruby File method:
http://www.ruby-doc.org/core-2.1.2/File.html#method-c-new
which essentially says that ruby uses system call with open and chmod, which essentially says umask is always ignored regarding the bit that is set.
https://www.linuxnix.com/umask-define-linuxunix/
Umask values are subtracted from the default permissions, so a umask of 0222 would make a file read-only for everyone.

So if root default is 0022 which means that for group and other is always read-only, which is exactly what is happening here.

So I tested to set umask to 0000:

   umask 0000 ; /usr/share/logstash/bin/logstash --config.string 'input { stdin { } } output {   csv { path => "/usr/share/logstash/00359402.csv" fields => "message" file_mode => 0222 }   }' --log.level=debug ; umask 0022

result was a file with correct rights:

--w--w--w-. 1 root root 52 Jul  4 16:27 /usr/share/logstash/00359402.csv

So one solution can be, that the documentation page documents that.

Another solution can be, that Systemd could set umask for logstash, but this is not a good solution.
vim /etc/systemd/system/multi-user.target.wants/logstash.service

      [Service]
      UMask=0000

3rd solution could be, that another Ruby solution will be established for that.

I could not reproduce this bug under RHEL7
jruby/jruby#3426

/usr/share/logstash/bin/logstash --interactive irb
under user root:           puts File.umask      18 => nil
under user  logstash:   puts File.umask        2 => nil