fix: open log file with mode 0600 and remove permission widening fallback

bcho · bcho · commit 684618d6792d · 2026-04-16T17:49:10.000-07:00
The agent runs as root, so if it cannot open its own log file, chmod/chown
workarounds won't help — just fail. Removed the fallback that ran chmod 666
which made the log world-writable. Now opens with 0600 and returns the error
directly on failure.
diff --git a/components/arc/v20260301/arc_registration.go b/components/arc/v20260301/arc_registration.go
@@ -169,8 +169,8 @@ func (a *installArcAction) addAuthenticationArgs(ctx context.Context, args *[]st
 	// The token is short-lived (~60 minutes) which limits the exposure window, but it is
 	// still observable during the registration process. azcmagent does not currently support
 	// reading the token from stdin or an environment variable.
-	// Consider switching to --service-principal-cert or --use-azcli when feasible.
-	// See: https://learn.microsoft.com/en-us/azure/azure-arc/servers/azcmagent-connect
+	// TODO: Check if we can let azcmagent discover auth settings on its own (e.g. --use-azcli
+	// or VM MSI) instead of fetching a token ourselves and passing it on the command line.
 	*args = append(*args, "--access-token", accessToken)
 
 	a.logger.Debug("Authentication arguments added to Arc agent command")
diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go
@@ -158,20 +158,10 @@ func setupLogFileWriter(logDir string) (io.Writer, error) {
 		return nil, fmt.Errorf("failed to create log file '%s': %w", logFilePath, err)
 	}
 
-	// Try to open log file for writing, handle permission issues
-	file, err := os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
+	// Open log file for appending (mode arg is ignored without O_CREATE — permissions
+	// are set in createLogFileIfNotExists above)
+	file, err := os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0) //#nosec G304 - logFilePath is from trusted agent config
 	if err != nil {
-		// If it's a permission error and we're not running as root, try to fix permissions
-		if os.IsPermission(err) {
-			// Try to fix permissions using system command
-			if fixErr := utils.RunSystemCommand("chmod", "666", logFilePath); fixErr == nil {
-				// Retry opening the file after fixing permissions
-				file, err = os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
-				if err == nil {
-					return file, nil
-				}
-			}
-		}
 		return nil, fmt.Errorf("failed to open log file '%s': %w", logFilePath, err)
 	}
 
@@ -218,7 +208,7 @@ func createLogFileIfNotExists(logFilePath string) error {
 	// should have the correct user/group and the log directory should already exist
 	if isRunningUnderSystemd() {
 		// Try direct file creation with appropriate permissions
-		file, err := os.OpenFile(logFilePath, os.O_CREATE|os.O_WRONLY, 0644)
+		file, err := os.OpenFile(logFilePath, os.O_CREATE|os.O_WRONLY, 0600) //#nosec G304 - logFilePath is from trusted agent config
 		if err == nil {
 			_ = file.Close()
 			return nil
@@ -228,7 +218,7 @@ func createLogFileIfNotExists(logFilePath string) error {
 	}
 
 	// Use WriteFileAtomicSystem to create an empty log file with proper permissions
-	if err := utilio.WriteFile(logFilePath, []byte{}, 0644); err != nil {
+	if err := utilio.WriteFile(logFilePath, []byte{}, 0600); err != nil {
 		return err
 	}
 
