Werk #15422: Agent Bakery: New default UNIX agent folder permissions

Component Agent bakery
Title Agent Bakery: New default UNIX agent folder permissions
Date Mar 31, 2023
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b3 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

This change will be compatible for most, if not all, users.
You are only affected if you actually make use of the (now removed) group-writable flag on agent package folders.
Normally, (especially when using the agent updater) the checkmk agent package files/folders will be installed with root ownership, while metadata of pre-existing folders won't be altered by the installation.
Hence, only customized installation methods (e.g., unpacking the tar package with a special user) may possibly run into problems with this change.

Previously, the folders of a baked UNIX agent package were packaged with octal permissions of 775.
This lead to problems in some rare cases, e.g. when storing (and using) an ssh-id under an agent folder.

This has now been changed to 755, as the agent's folders are owned by root and also installed under folders owned by root by default.

Please note that these are the permissions of the folders as they are packaged by the agent bakery.
Depending on the package manager (or tar unpack command) and the target system's umask, the installed folders may end up with other permissions.

To the list of all Werks