From 8c193c8b171b9770342f0fcdb0d4622dc3b6044f Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Mon, 4 Nov 2024 17:26:15 +0400
Subject: [PATCH] fix: update permissions for logging directories in /var

Fixes #9630

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 7f3aaa21cd8d969e26721235a4191ba3bdbc1f8f)
---
 .../v1alpha1/v1alpha1_sequencer_tasks.go      | 54 ++++++++++++++++---
 1 file changed, 46 insertions(+), 8 deletions(-)

diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index 0726946bbd..348311a917 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -887,20 +887,58 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
 			return err
 		}
 
-		for _, p := range []string{"/var/log/audit", "/var/log/containers", "/var/log/pods", "/var/lib/kubelet", "/var/run/lock", constants.SeccompProfilesDirectory} {
-			if err := os.MkdirAll(p, 0o700); err != nil {
+		for _, dir := range []struct {
+			Path     string
+			Mode     os.FileMode
+			UID, GID int
+		}{
+			{
+				Path: "/var/log",
+				Mode: 0o755,
+			},
+			{
+				Path: "/var/log/audit",
+				Mode: 0o700,
+			},
+			{
+				Path: "/var/log/containers",
+				Mode: 0o755,
+			},
+			{
+				Path: "/var/log/pods",
+				Mode: 0o755,
+			},
+			{
+				Path: "/var/lib/kubelet",
+				Mode: 0o700,
+			},
+			{
+				Path: "/var/run/lock",
+				Mode: 0o755,
+			},
+			{
+				Path: constants.SeccompProfilesDirectory,
+				Mode: 0o700,
+			},
+			{
+				Path: constants.KubernetesAuditLogDir,
+				Mode: 0o700,
+				UID:  constants.KubernetesAPIServerRunUser,
+				GID:  constants.KubernetesAPIServerRunGroup,
+			},
+		} {
+			if err := os.MkdirAll(dir.Path, dir.Mode); err != nil {
 				return err
 			}
-		}
 
-		// Handle Kubernetes directories which need different ownership
-		for _, p := range []string{constants.KubernetesAuditLogDir} {
-			if err := os.MkdirAll(p, 0o700); err != nil {
+			if err := os.Chmod(dir.Path, dir.Mode); err != nil {
 				return err
 			}
 
-			if err := os.Chown(p, constants.KubernetesAPIServerRunUser, constants.KubernetesAPIServerRunGroup); err != nil {
-				return fmt.Errorf("failed to chown %s: %w", p, err)
+			if dir.UID != 0 || dir.GID != 0 {
+				if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil {
+					return err
+				}
 			}
 		}