fix: open log file with mode 0600 and remove permission widening fallback

The agent runs as root, so if it cannot open its own log file, chmod/chown
workarounds won't help — just fail. Removed the fallback that ran chmod 666
which made the log world-writable. Now opens with 0600 and returns the error
directly on failure.

Author: bcho

components/arc/v20260301/arc_registration.go

@@ -169,8 +169,8 @@ func (a *installArcAction) addAuthenticationArgs(ctx context.Context, args *[]st
 	// The token is short-lived (~60 minutes) which limits the exposure window, but it is
 	// still observable during the registration process. azcmagent does not currently support
 	// reading the token from stdin or an environment variable.
-	// Consider switching to --service-principal-cert or --use-azcli when feasible.
-	// See: https://learn.microsoft.com/en-us/azure/azure-arc/servers/azcmagent-connect
+	// TODO: Check if we can let azcmagent discover auth settings on its own (e.g. --use-azcli
+	// or VM MSI) instead of fetching a token ourselves and passing it on the command line.
 	*args = append(*args, "--access-token", accessToken)
 
 	a.logger.Debug("Authentication arguments added to Arc agent command")

pkg/logger/logger.go

@@ -9,8 +9,6 @@ import (
 	"runtime"
 	"strings"
 
-	"github.com/Azure/AKSFlexNode/pkg/utils"
-	"github.com/Azure/AKSFlexNode/pkg/utils/utilio"
 	"github.com/sirupsen/logrus"
 )
 
@@ -153,25 +151,9 @@ func setupLogFileWriter(logDir string) (io.Writer, error) {
 
 	logFilePath := filepath.Join(logDir, "aks-flex-node.log")
 
-	// Create the log file if it doesn't exist
-	if err := createLogFileIfNotExists(logFilePath); err != nil {
-		return nil, fmt.Errorf("failed to create log file '%s': %w", logFilePath, err)
-	}
-
-	// Try to open log file for writing, handle permission issues
-	file, err := os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
+	// Open log file for appending, creating it with 0600 if it doesn't exist
+	file, err := os.OpenFile(logFilePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600) //#nosec G304 - logFilePath is from trusted agent config
 	if err != nil {
-		// If it's a permission error and we're not running as root, try to fix permissions
-		if os.IsPermission(err) {
-			// Try to fix permissions using system command
-			if fixErr := utils.RunSystemCommand("chmod", "666", logFilePath); fixErr == nil {
-				// Retry opening the file after fixing permissions
-				file, err = os.OpenFile(logFilePath, os.O_WRONLY|os.O_APPEND, 0666)
-				if err == nil {
-					return file, nil
-				}
-			}
-		}
 		return nil, fmt.Errorf("failed to open log file '%s': %w", logFilePath, err)
 	}
 
@@ -207,45 +189,6 @@ func setupLogFile(logger *logrus.Logger, logDir string) error {
 	return nil
 }
 
-// createLogFileIfNotExists creates a log file using appropriate method based on path privileges
-func createLogFileIfNotExists(logFilePath string) error {
-	// Check if file already exists
-	if utils.FileExists(logFilePath) {
-		return nil
-	}
-
-	// For systemd services, try direct file creation first since the service
-	// should have the correct user/group and the log directory should already exist
-	if isRunningUnderSystemd() {
-		// Try direct file creation with appropriate permissions
-		file, err := os.OpenFile(logFilePath, os.O_CREATE|os.O_WRONLY, 0644)
-		if err == nil {
-			_ = file.Close()
-			return nil
-		}
-		// If direct creation fails, fall through to the system method
-		fmt.Printf("Warning: Direct log file creation failed (%v), trying system method...\n", err)
-	}
-
-	// Use WriteFileAtomicSystem to create an empty log file with proper permissions
-	if err := utilio.WriteFile(logFilePath, []byte{}, 0644); err != nil {
-		return err
-	}
-
-	// Ensure proper ownership for the current user after file creation
-	// Skip this for systemd services as they should already have correct ownership
-	if !isRunningUnderSystemd() {
-		currentUser := os.Getenv("USER")
-		if currentUser != "" {
-			if err := utils.RunSystemCommand("chown", currentUser+":"+currentUser, logFilePath); err != nil {
-				fmt.Printf("Warning: Failed to change ownership of %s to %s: %v\n", logFilePath, currentUser, err)
-			}
-		}
-	}
-
-	return nil
-}
-
 // GetLoggerFromContext retrieves the logger from context
 func GetLoggerFromContext(ctx context.Context) *logrus.Logger {
 	if logger, ok := ctx.Value(loggerContextKey).(*logrus.Logger); ok {