[Unprivileged] Upgrade broken due to permission issues

[blakerouse]

Upgrading an Elastic Agent that is installed with unprivileged fails to perform upgrade unless the tarball is built with the correct permissions.

Failed trigger upgrade of daemon: TarInstaller: creating file /opt/Elastic/Agent/data/elastic-agent-5b3535/package.version: open /opt/Elastic/Agent/data/elastic-agent-5b3535/package.version: permission denied

root@ogc-linux-arm64-ubuntu-2204-upgrade-cb2f:/opt/Elastic/Agent/data# ls -lh
total 8.0K
-rw------- 1 elastic-agent elastic-agent    0 Jan 17 18:37 agent.lock
drw-r----- 2 elastic-agent elastic-agent 4.0K Jan 17 18:37 elastic-agent-5b3535
drwxr-x--- 5 elastic-agent elastic-agent 4.0K Jan 17 18:37 elastic-agent-666fd7

The elastic-agent-5b3535 is the extracted directory for the upgrade and it doesn't have the correct permissions. It should have the same permissions as elastic-agent-666fd7.

elastic-agent/internal/pkg/agent/application/upgrade/step_unpack.go

Line 217 in 71c7cb3

if err := os.MkdirAll(abs, mode.Perm()&0770); err != nil {

Only applies a bitmask for 0770 meaning that the contents of the tarball have an a effect on the extracted contents.

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[blakerouse]

I was able to identify the issue and it is not the archive that is incorrect. The archive is actually correct. The issue is in the TarInstaller.

elastic-agent/internal/pkg/agent/application/upgrade/step_unpack.go

Line 196 in 71c7cb3

if err := os.MkdirAll(filepath.Dir(abs), mode.Perm()&0770); err != nil {

At this point if the directory doesn't exist it will create it, except it uses the permissions of the file for its permissions and not the permissions for the directory that are in the tarball. This causes the extraction to be incorrect.