fix: open log file with mode 0600 and remove permission widening fallback

The agent runs as root, so if it cannot open its own log file, chmod/chown
workarounds won't help — just fail. Removed the fallback that ran chmod 666
which made the log world-writable. Now opens with 0600 and returns the error
directly on failure.

Author: bcho

pkg/logger/logger.go

@@ -158,20 +158,9 @@ func setupLogFileWriter(logDir string) (io.Writer, error) {
 		return nil, fmt.Errorf("failed to create log file '%s': %w", logFilePath, err)
 	}
 
-	// Try to open log file for writing, handle permission issues
-	file, err := os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
+	// Try to open log file for writing
+	file, err := os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0600) //#nosec G304 - logFilePath is from trusted agent config
 	if err != nil {
-		// If it's a permission error and we're not running as root, try to fix permissions
-		if os.IsPermission(err) {
-			// Try to fix permissions using system command
-			if fixErr := utils.RunSystemCommand("chmod", "666", logFilePath); fixErr == nil {
-				// Retry opening the file after fixing permissions
-				file, err = os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
-				if err == nil {
-					return file, nil
-				}
-			}
-		}
 		return nil, fmt.Errorf("failed to open log file '%s': %w", logFilePath, err)
 	}