diff --git a/.buildkite/pull_request_pipeline.yml b/.buildkite/pull_request_pipeline.yml index 9209144da66..938bb5613b0 100644 --- a/.buildkite/pull_request_pipeline.yml +++ b/.buildkite/pull_request_pipeline.yml @@ -22,10 +22,12 @@ steps: - label: ":rspec: Ruby unit tests" key: "ruby-unit-tests" agents: - image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-logstash-ci" + image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-logstash-ci-no-root" cpu: "4" memory: "8Gi" ephemeralStorage: "100Gi" + # Run as a non-root user + imageUID: "1002" retry: automatic: - limit: 3 diff --git a/docs/static/settings-file.asciidoc b/docs/static/settings-file.asciidoc index bc43cec6741..704afa9b131 100644 --- a/docs/static/settings-file.asciidoc +++ b/docs/static/settings-file.asciidoc @@ -359,7 +359,7 @@ separating each log lines per pipeline could be helpful in case you need to trou | `allow_superuser` | Setting to `true` to allow or `false` to block running Logstash as a superuser. -| `true` +| `false` | `pipeline.buffer.type` | Determine where to allocate memory buffers, for plugins that leverage them. diff --git a/logstash-core/lib/logstash/environment.rb b/logstash-core/lib/logstash/environment.rb index d67ad4457ef..6d2c1d5d37c 100644 --- a/logstash-core/lib/logstash/environment.rb +++ b/logstash-core/lib/logstash/environment.rb @@ -34,7 +34,7 @@ module Environment end [ - Setting::Boolean.new("allow_superuser", true), + Setting::Boolean.new("allow_superuser", false), Setting::String.new("node.name", Socket.gethostname), Setting::NullableString.new("path.config", nil, false), Setting::WritableDirectory.new("path.data", ::File.join(LogStash::Environment::LOGSTASH_HOME, "data")), diff --git a/logstash-core/lib/logstash/runner.rb b/logstash-core/lib/logstash/runner.rb index 46417a0c56c..0fd7a503b06 100644 --- a/logstash-core/lib/logstash/runner.rb +++ b/logstash-core/lib/logstash/runner.rb @@ -456,7 +456,8 @@ def execute def running_as_superuser if Process.euid() == 0 if setting("allow_superuser") - deprecation_logger.deprecated("NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases.") + logger.warn("NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk. " + + "It is strongly recommended to set 'allow_superuser' to false.") else raise(RuntimeError, "Logstash cannot be run as superuser.") end diff --git a/logstash-core/spec/logstash/runner_spec.rb b/logstash-core/spec/logstash/runner_spec.rb index 962f056a744..3a0a7e13102 100644 --- a/logstash-core/spec/logstash/runner_spec.rb +++ b/logstash-core/spec/logstash/runner_spec.rb @@ -595,7 +595,7 @@ it "runs successfully with warning message" do LogStash::SETTINGS.set("allow_superuser", true) expect(logger).not_to receive(:fatal) - expect(deprecation_logger_stub).to receive(:deprecated).with(/NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases./) + expect(logger).to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) expect { subject.run(args) }.not_to raise_error end end @@ -607,7 +607,7 @@ it "runs successfully without any messages" do LogStash::SETTINGS.set("allow_superuser", false) expect(logger).not_to receive(:fatal) - expect(deprecation_logger_stub).not_to receive(:deprecated).with(/NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases./) + expect(logger).not_to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) expect { subject.run(args) }.not_to raise_error end end