In #28514 we added support for setuid-ing to a regular user from root. This wasn't thought of as a breaking change, because it generally isn't. One place where that's not quite true is that if users have config files that are owned by root with no o+r perms heartbeat can't read these after downgrading its credentials.
To remedy this I propose we only invoke setuid in the elastic-agent containers where we control config files completely.
In #28514 we added support for setuid-ing to a regular user from root. This wasn't thought of as a breaking change, because it generally isn't. One place where that's not quite true is that if users have config files that are owned by root with no
o+rperms heartbeat can't read these after downgrading its credentials.To remedy this I propose we only invoke setuid in the elastic-agent containers where we control config files completely.