From 6e7e8525bb5a1cad57d6766201b27e95e6feff75 Mon Sep 17 00:00:00 2001
From: vcerenu <victor.erenu@wazuh.com>
Date: Mon, 4 Mar 2024 07:51:00 -0300
Subject: [PATCH] modify uid and giufor indexer and dashboard user and file
 permissions

---
 build-docker-images/wazuh-dashboard/Dockerfile | 18 +++++++++---------
 build-docker-images/wazuh-indexer/Dockerfile   | 18 +++++++++---------
 .../wazuh-indexer/config/entrypoint.sh         |  4 ++--
 indexer-certs-creator/config/entrypoint.sh     | 12 +-----------
 multi-node/docker-compose.yml                  |  4 ++--
 single-node/docker-compose.yml                 |  2 +-
 6 files changed, 24 insertions(+), 34 deletions(-)

diff --git a/build-docker-images/wazuh-dashboard/Dockerfile b/build-docker-images/wazuh-dashboard/Dockerfile
index 71b2d0e5..7568e5ec 100644
--- a/build-docker-images/wazuh-dashboard/Dockerfile
+++ b/build-docker-images/wazuh-dashboard/Dockerfile
@@ -28,12 +28,12 @@ RUN bash /install_wazuh_app.sh
 # Copy and set permissions to config files
 COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/
 COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
-RUN chown 101:101 $INSTALL_DIR/config/opensearch_dashboards.yml && chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
+RUN chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
 
 # Create and set permissions to data directories
-RUN mkdir -p $INSTALL_DIR/data/wazuh && chown -R 101:101 $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
-RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chown -R 101:101 $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
-RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
+RUN mkdir -p $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
+RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
+RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
 
 ################################################################################
 # Build stage 1 (the current Wazuh dashboard image):
@@ -84,9 +84,9 @@ ENV PATTERN="" \
 RUN yum install shadow-utils -y
 
 # Create wazuh-dashboard user and group
-RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+RUN getent group $GROUP || groupadd -r -g 999 $GROUP
 RUN useradd --system \
-            --uid 1000 \
+            --uid 999 \
             --no-create-home \
             --home-dir $INSTALL_DIR \
             --gid $GROUP \
@@ -99,14 +99,14 @@ COPY config/entrypoint.sh /
 COPY config/wazuh_app_config.sh /
 RUN chmod 700 /entrypoint.sh
 RUN chmod 700 /wazuh_app_config.sh
-RUN chown 1000:1000 /*.sh
+RUN chown 999:999 /*.sh
 
 # Copy Install dir from builder to current image
-COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
+COPY --from=builder --chown=999:999 $INSTALL_DIR $INSTALL_DIR
 
 # Create custom directory
 RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
-RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+RUN chown 999:999 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
 
 # Set workdir and user
 WORKDIR $INSTALL_DIR
diff --git a/build-docker-images/wazuh-indexer/Dockerfile b/build-docker-images/wazuh-indexer/Dockerfile
index bdce9fff..bb7d6dae 100644
--- a/build-docker-images/wazuh-indexer/Dockerfile
+++ b/build-docker-images/wazuh-indexer/Dockerfile
@@ -38,10 +38,10 @@ ENV USER="wazuh-indexer" \
 
 RUN yum install curl-minimal shadow-utils findutils hostname -y
 
-RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
+RUN getent group $GROUP || groupadd -r -g 999 $GROUP
 
 RUN useradd --system \
-            --uid 1000 \
+            --uid 999 \
             --no-create-home \
             --home-dir $INSTALL_DIR \
             --gid $GROUP \
@@ -57,19 +57,19 @@ COPY config/securityadmin.sh /
 
 RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
 
-RUN chown 1000:1000 /*.sh
+RUN chown 999:999 /*.sh
 
-COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=999:999 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
 
-RUN chown -R 1000:1000 /usr/share/wazuh-indexer
+RUN chown -R 999:999 /usr/share/wazuh-indexer
 
-RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
-    mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
-    mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
-    mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
+RUN mkdir -p /var/lib/wazuh-indexer && chown 999:999 /var/lib/wazuh-indexer && \
+    mkdir -p /usr/share/wazuh-indexer/logs && chown 999:999 /usr/share/wazuh-indexer/logs && \
+    mkdir -p /run/wazuh-indexer && chown 999:999 /run/wazuh-indexer && \
+    mkdir -p /var/log/wazuh-indexer && chown 999:999 /var/log/wazuh-indexer && \
     chmod 700 /usr/share/wazuh-indexer && \
     chmod 600 /usr/share/wazuh-indexer/jvm.options && \
     chmod 600 /usr/share/wazuh-indexer/opensearch.yml
diff --git a/build-docker-images/wazuh-indexer/config/entrypoint.sh b/build-docker-images/wazuh-indexer/config/entrypoint.sh
index 2acb4aa0..ba244d4d 100644
--- a/build-docker-images/wazuh-indexer/config/entrypoint.sh
+++ b/build-docker-images/wazuh-indexer/config/entrypoint.sh
@@ -34,7 +34,7 @@ if [[ "$1" != "opensearchwrapper" ]]; then
     # `bin/opensearch -E x.y=z` would not work.
     set -- "opensearch" "${@:2}"
     # Use chroot to switch to UID 1000 / GID 0
-    exec chroot --userspec=1000:0 / "$@"
+    exec chroot --userspec=999:0 / "$@"
   else
     # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
     exec "$@"
@@ -79,7 +79,7 @@ fi
 if [[ "$(id -u)" == "0" ]]; then
   # If requested and running as root, mutate the ownership of bind-mounts
   if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
-    chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
+    chown -R 999:0 /usr/share/wazuh-indexer/{data,logs}
   fi
 fi
 
diff --git a/indexer-certs-creator/config/entrypoint.sh b/indexer-certs-creator/config/entrypoint.sh
index d3e0534e..948fefa1 100644
--- a/indexer-certs-creator/config/entrypoint.sh
+++ b/indexer-certs-creator/config/entrypoint.sh
@@ -47,15 +47,5 @@ echo "Changing certificate permissions"
 chmod -R 500 /certificates
 chmod -R 400 /certificates/*
 echo "Setting UID indexer and dashboard"
-chown 1000:1000 /certificates/*
-echo "Setting UID for wazuh manager and worker"
-cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
-cp /certificates/root-ca.key /certificates/root-ca-manager.key
-chown 101:101 /certificates/root-ca-manager.pem
-chown 101:101 /certificates/root-ca-manager.key
+chown 999:999 /certificates/*
 
-for i in ${node_names[@]};
-do
-  chown 101:101 "/certificates/${i}.pem"
-  chown 101:101 "/certificates/${i}-key.pem"
-done
diff --git a/multi-node/docker-compose.yml b/multi-node/docker-compose.yml
index a72fd4f5..ac81cb63 100644
--- a/multi-node/docker-compose.yml
+++ b/multi-node/docker-compose.yml
@@ -39,7 +39,7 @@ services:
       - master-wazuh-wodles:/var/ossec/wodles
       - master-filebeat-etc:/etc/filebeat
       - master-filebeat-var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
@@ -75,7 +75,7 @@ services:
       - worker-wazuh-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
diff --git a/single-node/docker-compose.yml b/single-node/docker-compose.yml
index 55e2261e..9e4d56fd 100644
--- a/single-node/docker-compose.yml
+++ b/single-node/docker-compose.yml
@@ -40,7 +40,7 @@ services:
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
-      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf