in_tail ignores linux capabilities for opening/reading files

[davidcmitchell]

Describe the bug

In this case, we are enabling CAP_DAC_READ_SEARCH on the ruby binary in order to run as a non-root user but still read root owned log files. Calling file.readable?(path) results in "#{p} unreadable. It is excluded and would be examined next time." because file.readable? only considers the effective user/group id.

To Reproduce

• switch to user root (or in Docker USER root)
• setcap cap_dac_read_search=+eip /usr/local/bin/ruby (or in Docker RUN setcap cap_dac_read_search=+eip /usr/local/bin/ruby)
• switch to user fluent (or in Docker USER fluent)
• set a tail configuration for root owned files, for example:

    <source>
      @type tail
      path /var/log/containers/*.log
      pos_file /var/log/fluentd-containers.log.pos
      tag kubernetes.logs.*
      format json
      read_from_head true
      read_lines_limit 100
    </source>

Output:

2020-06-19 19:46:15 +0000 [warn]: #0 /var/log/containers/fluentd-logs-cr82n_genctl_fluentd-logs-816c787602a73f8e9b9c85b74bc340a783b1cd67de4b49735bd9e2d28085cc99.log unreadable. It is excluded and would be examined next time.

Expected behavior

Since we have CAP_DAC_READ_SEARCH, would expect to read the file normally.

Your Environment
fluentd:v1.9.1-debian-1.0 Docker image

Your Configuration

    <source>
      @type tail
      path /var/log/containers/*.log
      pos_file /var/log/fluentd-containers.log.pos
      tag kubernetes.logs.*
      format json
      read_from_head true
      read_lines_limit 100
    </source>

Your Error Log

2020-06-19 19:46:15 +0000 [warn]: #0 /var/log/containers/fluentd-logs-cr82n_genctl_fluentd-logs-816c787602a73f8e9b9c85b74bc340a783b1cd67de4b49735bd9e2d28085cc99.log unreadable. It is excluded and would be examined next time.

Additional context
Writing a custom in_tail plugin that avoids the file.readable?(p) check opens and reads the file normally.

[cosmo0920]

I'm planning to implement Linux capability checking mechanism on Fluentd.

In this case, we are enabling CAP_DAC_READ_SEARCH on the ruby binary in order to run as a non-root user but still read root owned log files. Calling file.readable?(path) results in "#{p} unreadable. It is excluded and would be examined next time." because file.readable? only considers the effective user/group id.

Yeah, Ruby's File#readable?(path) implementation does not refer Linux capability.

Example

$ irb
irb> File.readable?("/var/log/syslog")
=> false

For rbenv-ed Ruby:

$ sudo setcap cap_dac_read_search=+eip ~/.rbenv/versions/2.6.3/bin/ruby 
$ filecap ~/.rbenv/versions/2.6.3/bin/ruby
file                 capabilities
~/.rbenv/versions/2.6.3/bin/ruby     dac_read_search

Using libcap-ng binding which is developing here:
https://github.com/cosmo0920/capng_c

$ bundle exec irb 
irb> require 'capng'
=> true
irb> capng = CapNG.new
=> #<CapNG:0x000055566c4b8cb0>
irb> capng.have_capability?(CapNG::Type::EFFECTIVE, :dac_read_search)
=> true
irb> File.read("/var/log/syslog")
# some stuff. Can read "/var/log/syslog"