From 2332819e06e38705766a07f12ead2f0609f06005 Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Wed, 3 Jun 2020 11:41:00 +0200
Subject: [PATCH] Cherry-pick #18872 to 7.x: Revert "Allow the Docker image to
 be run with a random user id (#12905)" (#18902)

This reverts commits 9dbdc1579f350d3beaff156b78a365e3a200e2cd and 3eac5f7b69a5627dfd9e241c1916988c1c602760.

(cherry picked from commit 7927da756745a574d3d7f020cbda85c0ccb58cb5)
---
 CHANGELOG.next.asciidoc                              |  1 -
 dev-tools/packaging/package_test.go                  |  9 ++-------
 dev-tools/packaging/templates/docker/Dockerfile.tmpl | 10 +++++-----
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 69360ba60b1..08abdd67e19 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -314,7 +314,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add Kerberos support to Elasticsearch output. {pull}17927[17927]
 - Add support for fixed length extraction in `dissect` processor. {pull}17191[17191]
 - Update RPM packages contained in Beat Docker images. {issue}17035[17035]
-- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905]
 - Add TLS support to Kerberos authentication in Elasticsearch. {pull}18607[18607]
 - Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817]
 
diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
index 9e5c8f4e597..96173cde880 100644
--- a/dev-tools/packaging/package_test.go
+++ b/dev-tools/packaging/package_test.go
@@ -186,13 +186,8 @@ func checkDocker(t *testing.T, file string) {
 	checkDockerEntryPoint(t, p, info)
 	checkDockerLabels(t, p, info, file)
 	checkDockerUser(t, p, info, *rootUserContainer)
-
-	// The configuration file in the Docker image is expected to be readable and writable by any user who belongs to
-	// the root group. This is done in order to allow the docker image to run on secured Kubernetes environment where
-	// the user ID used to run a container can't be known in advance.
-	checkConfigPermissionsWithMode(t, p, os.FileMode(0660))
-	checkManifestPermissionsWithMode(t, p, os.FileMode(0660))
-
+	checkConfigPermissionsWithMode(t, p, os.FileMode(0640))
+	checkManifestPermissionsWithMode(t, p, os.FileMode(0640))
 	checkModulesPresent(t, "", p)
 	checkModulesDPresent(t, "", p)
 }
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
index 0d6cfa90b4c..1123bb14f7b 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
@@ -30,10 +30,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
 RUN groupadd --gid 1000 {{ .BeatName }}
 
 RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
-    chown -R root:root {{ $beatHome }} && \
-    find {{ $beatHome }} -type d -exec chmod 0770 {} \; && \
-    find {{ $beatHome }} -type f -exec chmod 0660 {} \; && \
-    chmod 0770 {{ $beatBinary }} && \
+    chown -R root:{{ .BeatName }} {{ $beatHome }} && \
+    find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
+    find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
+    chmod 0750 {{ $beatBinary }} && \
 {{- if .linux_capabilities }}
     setcap {{ .linux_capabilities }} {{ $beatBinary }} && \
 {{- end }}
@@ -43,7 +43,7 @@ RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
     chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs
 
 {{- if ne .user "root" }}
-RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
+RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }}
 {{- end }}
 USER {{ .user }}