CORE-11535: Fix svlogd rotated log files permissions (#10590) (#10667)

* CORE-11535: Fix svlogd rotated log files permissions

(cherry picked from commit 14b4639)

Author: skoryk-oleksandr

node/.dockerignore

@@ -7,6 +7,7 @@
 !vendor/github.com/kelseyhightower/confd/etc/calico/confd
 # - AlmaLinux repository file and our license
 !almalinux.repo
+!patches/svlogd_use_0644_permission_instead_of_0744.patch
 !LICENSE
 # - Files used in the windows image
 !windows-packaging/CalicoWindows/libs

node/Dockerfile.amd64

@@ -73,10 +73,15 @@ RUN rpm -i ${IPSET_SOURCERPM_URL} && \
     yum-builddep -y --spec /root/rpmbuild/SPECS/ipset.spec && \
     rpmbuild -bb /root/rpmbuild/SPECS/ipset.spec
 
+# Copy the patch that adjusts svlogd log file permissions from 0744 to 0644.
+# This file is used in the next step to apply the patch during the build process.
+COPY patches/svlogd_use_0644_permission_instead_of_0744.patch /svlogd_use_0644_permission_instead_of_0744.patch
+
 # runit is not available in ubi or AlmaLinux repos so build it.
 # get it from the debian repos as the official website doesn't support https
 RUN curl -sfL https://ftp.debian.org/debian/pool/main/r/runit/runit_${RUNIT_VER}.orig.tar.gz | tar xz -C /root && \
     cd /root/admin/runit-${RUNIT_VER} && \
+    patch -p1 < /svlogd_use_0644_permission_instead_of_0744.patch && \
     package/compile
 
 FROM ${UBI_IMAGE} AS ubi

node/Dockerfile.arm64

@@ -73,10 +73,15 @@ RUN rpm -i ${IPSET_SOURCERPM_URL} && \
     yum-builddep -y --spec /root/rpmbuild/SPECS/ipset.spec && \
     rpmbuild -bb /root/rpmbuild/SPECS/ipset.spec
 
+# Copy the patch that adjusts svlogd log file permissions from 0744 to 0644.
+# This file is used in the next step to apply the patch during the build process.
+COPY patches/svlogd_use_0644_permission_instead_of_0744.patch /svlogd_use_0644_permission_instead_of_0744.patch
+
 # runit is not available in ubi or AlmaLinux repos so build it.
 # get it from the debian repos as the official website doesn't support https
 RUN curl -sfL https://ftp.debian.org/debian/pool/main/r/runit/runit_${RUNIT_VER}.orig.tar.gz | tar xz -C /root && \
     cd /root/admin/runit-${RUNIT_VER} && \
+    patch -p1 < /svlogd_use_0644_permission_instead_of_0744.patch && \
     package/compile
 
 FROM ${UBI_IMAGE} AS ubi

node/patches/svlogd_use_0644_permission_instead_of_0744.patch

@@ -0,0 +1,37 @@
+Subject: [PATCH] use_0644_permission_instead_of_0744
+---
+Index: src/svlogd.c
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/svlogd.c b/src/svlogd.c
+--- a/src/svlogd.c	(revision 142186093dafb75d90ae4aab4a06e2f32bcd74d5)
++++ b/src/svlogd.c	(date 1750721596815)
+@@ -205,7 +205,7 @@
+   f[26] ='s'; f[27] =0;
+   while (rename(ld->fnsave, f) == -1)
+     pause2("unable to rename processed", ld->name);
+-  while (chmod(f, 0744) == -1)
++  while (chmod(f, 0644) == -1)
+     pause2("unable to set mode of processed", ld->name);
+   ld->fnsave[26] ='u';
+   if (unlink(ld->fnsave) == -1)
+@@ -282,7 +282,7 @@
+     buffer_flush(&ld->b);
+     while (fsync(ld->fdcur) == -1)
+       pause2("unable to fsync current logfile", ld->name);
+-    while (fchmod(ld->fdcur, 0744) == -1)
++    while (fchmod(ld->fdcur, 0644) == -1)
+       pause2("unable to set mode of current", ld->name);
+     close(ld->fdcur);
+     if (verbose) {
+@@ -372,7 +372,7 @@
+   buffer_flush(&ld->b);
+   while (fsync(ld->fdcur) == -1)
+     pause2("unable to fsync current logfile", ld->name);
+-  while (fchmod(ld->fdcur, 0744) == -1)
++  while (fchmod(ld->fdcur, 0644) == -1)
+     pause2("unable to set mode of current", ld->name);
+   close(ld->fdcur);
+   ld->fdcur =-1;