diff --git a/pkg/collector/python/init_windows.go b/pkg/collector/python/init_windows.go index 04d18175df1f7..3de1ba7a459b0 100644 --- a/pkg/collector/python/init_windows.go +++ b/pkg/collector/python/init_windows.go @@ -9,8 +9,10 @@ package python import ( "os" + "path/filepath" pkgconfigsetup "github.com/DataDog/datadog-agent/pkg/config/setup" + "github.com/DataDog/datadog-agent/pkg/util/winutil" ) // Any platform-specific initialization belongs here. @@ -21,5 +23,41 @@ func initializePlatform() error { os.Unsetenv("PYTHONPATH") } + // only use cache file when not admin + admin, _ := winutil.IsUserAnAdmin() + if !admin { + err := enableSeparatePythonCacheDir() + if err != nil { + return err + } + } + return nil } + +// enableSeparatePythonCacheDir configures Python to use a separate directory for its pycache. +// +// Creates a python-cache subdir in the configuration directory and configures Python to use it via the PYTHONPYCACHEPREFIX env var. +// +// https://docs.python.org/3/using/cmdline.html#envvar-PYTHONPYCACHEPREFIX +func enableSeparatePythonCacheDir() error { + pd, err := winutil.GetProgramDataDir() + if err != nil { + return err + } + pycache := filepath.Join(pd, "python-cache") + + // check if path exists and create directory if it doesn't + if _, err := os.Stat(pycache); os.IsNotExist(err) { + if err := os.MkdirAll(pycache, 0755); err != nil { + return err + } + } else if err != nil { + return err + } + + os.Setenv("PYTHONPYCACHEPREFIX", pycache) + + return nil + +} diff --git a/releasenotes/notes/update-embedded-permissions-a8e169f1c079cd41.yaml b/releasenotes/notes/update-embedded-permissions-a8e169f1c079cd41.yaml new file mode 100644 index 0000000000000..8b9cafd486a16 --- /dev/null +++ b/releasenotes/notes/update-embedded-permissions-a8e169f1c079cd41.yaml @@ -0,0 +1,11 @@ +# Each section from every release note are combined when the +# CHANGELOG.rst is rendered. So the text needs to be worded so that +# it does not depend on any information only available in another +# section. This may mean repeating some details, but each section +# must be readable independently of the other. +# +# Each section note must be formatted as reStructuredText. +--- +security: + - | + Move the embedded Python cache out of the installation directory on Windows. diff --git a/test/new-e2e/tests/windows/install-test/installtester.go b/test/new-e2e/tests/windows/install-test/installtester.go index e0fbee6886600..f0c86fdf8c9d1 100644 --- a/test/new-e2e/tests/windows/install-test/installtester.go +++ b/test/new-e2e/tests/windows/install-test/installtester.go @@ -536,31 +536,6 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity }) } - // expect to have standard inherited permissions, plus an explciit ACE for ddagentuser - embeddedPaths := []string{ - filepath.Join(t.expectedInstallPath, "embedded3"), - } - if t.ExpectPython2Installed() { - embeddedPaths = append(embeddedPaths, - filepath.Join(t.expectedInstallPath, "embedded2"), - ) - } - agentUserFullAccessDirRule := windows.NewExplicitAccessRuleWithFlags( - ddAgentUserIdentity, - windows.FileFullControl, - windows.AccessControlTypeAllow, - windows.InheritanceFlagsContainer|windows.InheritanceFlagsObject, - windows.PropagationFlagsNone, - ) - for _, path := range embeddedPaths { - out, err := windows.GetSecurityInfoForPath(t.host, path) - require.NoError(tt, err) - if !windows.IsIdentityLocalSystem(ddAgentUserIdentity) { - windows.AssertContainsEqualable(tt, out.Access, agentUserFullAccessDirRule, "%s should have full access rule for %s", path, ddAgentUserIdentity) - } - assert.False(tt, out.AreAccessRulesProtected, "%s should inherit access rules", path) - } - // ensure the agent user does not have an ACE on the install dir out, err := windows.GetSecurityInfoForPath(t.host, t.expectedInstallPath) require.NoError(tt, err) diff --git a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs index 1447f8a080fd0..817f118b0c797 100644 --- a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs +++ b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs @@ -586,9 +586,6 @@ private List PathsWithAgentAccess() // agent needs to be able to write to run/ // agent needs to be able to create auth_token _session.Property("APPLICATIONDATADIRECTORY"), - // allow agent to write __pycache__ - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), }; }