Closed elasticmachine closed 3 months ago
Original comment by @ph:
@michalpristas I know we have logic in place to control group/user that a process is executed, but at the moment I don't think we ever exposed that to the end user.
Original comment by @ph:
cc @mattapperson for awareness.
Original comment by @michalpristas:
also a sidenote: this should be configurable, agent is capable of running beat as a different user if configuration is provided. we have this isolation story in the backlog for specifying namespaces when running processes, i think this should also help
Pinging @elastic/ingest-management (Team:ingest-management)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
Closing this as done now that there is an unprivileged Elastic Agent experience. Example on Mac: https://github.com/elastic/elastic-agent/issues/3867
Original comment by @ph:
The Agent starts the beats process with the same user as the agent process which means root. This is less than ideal if we want to lock down the process and reduce the risk.
TODO: Define stories