[Heartbeat] Remove containerized check from setuid logic (#37794)

Removed isContainerized from setuid check, as it fails to detect containers running under cgroups v2 and prevents switching users when running as root.
elastic · Jan 31, 2024 · 5d1c592 · 5d1c592
1 parent 2840dac
commit 5d1c592
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 9 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -81,6 +81,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 *Heartbeat*
 
 - Fix panics when parsing dereferencing invalid parsed url. {pull}34702[34702]
+- Fix setuid root when running under cgroups v2. {pull}37794[37794]
 
 *Metricbeat*
 

diff --git a/heartbeat/security/security.go b/heartbeat/security/security.go
@@ -26,8 +26,6 @@ import (
 	"strconv"
 	"syscall"
 
-	sysinfo "github.com/elastic/go-sysinfo"
-
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
@@ -36,13 +34,7 @@ func init() {
 	// In the context of a container, where users frequently run as root, we follow BEAT_SETUID_AS to setuid/gid
 	// and add capabilities to make this actually run as a regular user. This also helps Node.js in synthetics, which
 	// does not want to run as root. It's also just generally more secure.
-	sysInfo, err := sysinfo.Host()
-	isContainer := false
-	if err == nil && sysInfo.Info().Containerized != nil {
-		isContainer = *sysInfo.Info().Containerized
-	}
-
-	if localUserName := os.Getenv("BEAT_SETUID_AS"); isContainer && localUserName != "" && syscall.Geteuid() == 0 {
+	if localUserName := os.Getenv("BEAT_SETUID_AS"); localUserName != "" && syscall.Geteuid() == 0 {
 		err := setNodeProcAttr(localUserName)
 		if err != nil {
 			panic(err)