Set Default file mode to 0600

[voxel01]

Config files could contain connection strings to databases, exporters,... this could result in (local) privilege escalation if every user is able to read those config files
So in terms of having a more secure base config, I think setting default file mode to 0600 prevents failures.

[bastelfreak]

@cyberkov thanks for the PR, can you please rebase against our master branch? And is that really a backwards-incompatible change?

[cyberkov]

@cyberkov thanks for the PR, can you please rebase against our master branch? And is that really a backwards-incompatible change?

I think it would be fine. The config file belonged to root before and now to the user otelcol. root would be able to read it anyway :)

[smortex]

If we want to be very conservative, this should be considered a backwards-incompatible change for the rest of the applications: if one was picking in otelcol configuration to read something, the new behavior will prevent that.

Another side note: if the service own the configuration file, it can change it permissions and content. That may not be an issue, but it is generally better in case of vulnerability for the configuration to be immutable by the pwned service and be owner by another user (root), belong to a group of the application, and have permission 0640.