Fix install permissions (#7632)

* Fix ownership and permissions in RPM packages.

This restructures things so that we're relying as much as possible on
the `make install` command, which gets the ownership and permissions
right in most cases.

It does not change any of the capabilities afforded to various commands,
those need further investigation to be set correctly.

* Use correct perms and owners in installer script.

This corrects the permissions and ownership of files as installed
through the regular installer script (used for kickstart.sh installs).

2 files changed, 23 insertions, 30 deletions

diff --git a/netdata-installer.sh b/netdata-installer.sh
index 8dcb3996f7..51dff92ee3 100755
--- a/netdata-installer.sh
+++ b/netdata-installer.sh
@@ -681,9 +681,6 @@ for link in "orig" "${helplink}"; do
 		run ln -s "${NETDATA_STOCK_CONFIG_DIR}" "${NETDATA_USER_CONFIG_DIR}/${link}"
 	fi
 done
-run chown -R "${ROOT_USER}:${NETDATA_GROUP}" "${NETDATA_STOCK_CONFIG_DIR}"
-run find "${NETDATA_STOCK_CONFIG_DIR}" -type f -exec chmod 0640 {} \;
-run find "${NETDATA_STOCK_CONFIG_DIR}" -type d -exec chmod 0755 {} \;
 
 # --- web dir ----
 
@@ -729,7 +726,7 @@ if [ "${UID}" -eq 0 ]; then
 	test -z "${admin_group}" && admin_group="${NETDATA_GROUP}"
 
 	run chown "${NETDATA_USER}:${admin_group}" "${NETDATA_LOG_DIR}"
-	run chown -R "root:${NETDATA_GROUP}" "${NETDATA_PREFIX}/usr/libexec/netdata"
+	run chown -R "root:${admin_group}" "${NETDATA_PREFIX}/usr/libexec/netdata"
 	run find "${NETDATA_PREFIX}/usr/libexec/netdata" -type d -exec chmod 0755 {} \;
 	run find "${NETDATA_PREFIX}/usr/libexec/netdata" -type f -exec chmod 0644 {} \;
 	run find "${NETDATA_PREFIX}/usr/libexec/netdata" -type f -a -name \*.plugin -exec chmod 0750 {} \;
@@ -789,7 +786,7 @@ if [ "${UID}" -eq 0 ]; then
 
 	if [ -f "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh" ]; then
 		run chown "root:${NETDATA_GROUP}" "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh"
-		run chmod 0550 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh"
+		run chmod 0750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh"
 	fi
 
 else
@@ -871,7 +868,7 @@ install_go() {
 		run rm -rf "${NETDATA_STOCK_CONFIG_DIR}/go.d"
 		run rm -rf "${NETDATA_STOCK_CONFIG_DIR}/go.d.conf"
 		run tar -xf "${tmp}/config.tar.gz" -C "${NETDATA_STOCK_CONFIG_DIR}/"
-		run chown -R "${ROOT_USER}:${NETDATA_GROUP}" "${NETDATA_STOCK_CONFIG_DIR}"
+		run chown -R "${ROOT_USER}:${ROOT_GROUP}" "${NETDATA_STOCK_CONFIG_DIR}"
 
 		run tar xf "${tmp}/${GO_PACKAGE_BASENAME}"
 		run mv "${GO_PACKAGE_BASENAME/\.tar\.gz/}" "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/go.d.plugin"
diff --git a/netdata.spec.in b/netdata.spec.in
index e638fbd3a8..8c80d0a0a9 100644
--- a/netdata.spec.in
+++ b/netdata.spec.in
@@ -394,7 +394,7 @@ install_go() {
 	return 0
 }
 install_go
-install -m 0640 -p go.d.plugin "${RPM_BUILD_ROOT}%{_libexecdir}/%{name}/plugins.d/go.d.plugin"
+install -m 0750 -p go.d.plugin "${RPM_BUILD_ROOT}%{_libexecdir}/%{name}/plugins.d/go.d.plugin"
 
 %pre
 
@@ -421,22 +421,22 @@ rm -rf "${RPM_BUILD_ROOT}"
 %doc README.md
 %{_sysconfdir}/%{name}
 %config(noreplace) %{_sysconfdir}/%{name}/netdata.conf
-
-%defattr(-,root,netdata)
-%dir %{_libdir}/%{name}
-
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
-
+%dir %{_libdir}/%{name}
+%dir %{_datadir}/%{name}
 %{_libdir}/%{name}
-
-%defattr(0755,netdata,netdata,0755)
+%{_libdir}/%{name}/conf.d/
 %{_libexecdir}/%{name}
 %{_sbindir}/%{name}
-
-%defattr(0755,root,root,0755)
 %{_sbindir}/netdatacli
 %{_sbindir}/netdata-claim.sh
 
+%if %{with systemd}
+%{_unitdir}/netdata.service
+%else
+%{_sysconfdir}/rc.d/init.d/netdata
+%endif
+
 %defattr(4750,root,netdata,0750)
 
 %dir %{_libexecdir}/%{name}/python.d
@@ -444,34 +444,28 @@ rm -rf "${RPM_BUILD_ROOT}"
 %dir %{_libexecdir}/%{name}/plugins.d
 %dir %{_libexecdir}/%{name}/node.d
 
-%caps(cap_dac_read_search,cap_sys_ptrace=ep) %attr(0550,root,netdata) %{_libexecdir}/%{name}/plugins.d/apps.plugin
+%{_libexecdir}/%{name}/python.d
+%{_libexecdir}/%{name}/plugins.d
+%{_libexecdir}/%{name}/node.d
+
+%caps(cap_dac_read_search,cap_sys_ptrace=ep) %attr(0750,root,netdata) %{_libexecdir}/%{name}/plugins.d/apps.plugin
 
 %if %{with netns}
 # cgroup-network detects the network interfaces of CGROUPs
 # it must be able to use setns() and run cgroup-network-helper.sh as root
 # the helper script reads /proc/PID/fdinfo/* files, runs virsh, etc.
-%caps(cap_setuid=ep) %attr(4550,root,netdata) %{_libexecdir}/%{name}/plugins.d/cgroup-network
-%attr(0550,root,root) %{_libexecdir}/%{name}/plugins.d/cgroup-network-helper.sh
+%caps(cap_setuid=ep) %attr(4750,root,netdata) %{_libexecdir}/%{name}/plugins.d/cgroup-network
+%attr(0750,root,netdata) %{_libexecdir}/%{name}/plugins.d/cgroup-network-helper.sh
 %endif
 
 # perf plugin
 %caps(cap_setuid=ep) %attr(4750,root,netdata) %{_libexecdir}/%{name}/plugins.d/perf.plugin
 
 # perf plugin
-%caps(cap_setuid=ep) %attr(4550,root,netdata) %{_libexecdir}/%{name}/plugins.d/slabinfo.plugin
+%caps(cap_setuid=ep) %attr(4750,root,netdata) %{_libexecdir}/%{name}/plugins.d/slabinfo.plugin
 
 # freeipmi files
 %caps(cap_setuid=ep) %attr(4750,root,netdata) %{_libexecdir}/%{name}/plugins.d/freeipmi.plugin
-%dir %{_datadir}/%{name}
-
-%defattr(0750,netdata,netdata,0755)
-%{_libdir}/%{name}/conf.d/
-
-%if %{with systemd}
-%{_unitdir}/netdata.service
-%else
-%{_sysconfdir}/rc.d/init.d/netdata
-%endif
 
 # Enforce 0644 for files and 0755 for directories
 # for the netdata web directory
@@ -522,6 +516,8 @@ are sensor monitoring, system event monitoring, power control, and serial-over-L
 %attr(4750,root,netdata) %{_libexecdir}/%{name}/plugins.d/freeipmi.plugin
 
 %changelog
+* Thu Dec 19 2019 Austin Hemmelgarn <austin@netdata.cloud> 0.0.0-11
+- Fix remaining ownership and permissions issues.
 * Mon Nov 04 2019 Konstantinos Natsakis <konstantinos.natsakis@gmail.com> 0.0.0-10
 - Fix /etc/netdata permissions
 * Mon Sep 23 2019 Konstantinos Natsakis <konstantinos.natsakis@gmail.com> 0.0.0-9