Change directory permissions on Windows

DataDog · Feb 25, 2025 · 9cf9b1b · 9cf9b1b
1 parent 2f3e535
commit 9cf9b1b
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/pkg/fleet/installer/paths/installer_paths.go b/pkg/fleet/installer/paths/installer_paths.go
@@ -8,6 +8,8 @@
 // Package paths defines commonly used paths throughout the installer
 package paths
 
+import "os"
+
 const (
 	// PackagesPath is the path to the packages directory.
 	PackagesPath = "/opt/datadog-packages"
@@ -24,3 +26,8 @@ const (
 	// RunPath is the default run path
 	RunPath = "/opt/datadog-packages/run"
 )
+
+// SetRepositoryPermissions sets the permissions on the repository directory
+func SetRepositoryPermissions(path string) error {
+	return os.Chmod(path, 0755)
+}
diff --git a/pkg/fleet/installer/paths/installer_paths_windows.go b/pkg/fleet/installer/paths/installer_paths_windows.go
@@ -336,3 +336,18 @@ func getProgramDataDirForProduct(product string) (path string, err error) {
 	path = val
 	return
 }
+
+// SetRepositoryPermissions sets the permissions on the repository directory
+// It needs to be world readable so that user processes can load installed libraries
+func SetRepositoryPermissions(path string) error {
+	// Desired permissions:
+	// - OWNER: Administrators
+	// - GROUP: Administrators
+	// - SYSTEM: Full Control (propagates to children)
+	// - Administrators: Full Control (propagates to children)
+	// - Everyone: 0x1200A9 List folder contents (propagates children)
+	// - PROTECTED: does not inherit permissions from parent
+	sddl := "O:BAG:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200A9;;;WD)"
+
+	return treeResetNamedSecurityInfoWithSDDL(path, sddl)
+}
diff --git a/pkg/fleet/installer/repository/repository.go b/pkg/fleet/installer/repository/repository.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/DataDog/datadog-agent/pkg/fleet/installer/paths"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 
@@ -357,7 +358,7 @@ func movePackageFromSource(packageName string, rootPath string, sourcePath strin
 	if !errors.Is(err, os.ErrNotExist) {
 		return "", fmt.Errorf("could not stat target package: %w", err)
 	}
-	if err := os.Chmod(sourcePath, 0755); err != nil {
+	if err := paths.SetRepositoryPermissions(sourcePath); err != nil {
 		return "", fmt.Errorf("could not set permissions on package: %w", err)
 	}
 	err = os.Rename(sourcePath, targetPath)