Guard blob store local directory creation with doPrivileged (#115459) (#115570)

The blob store may be triggered to create a local directory while in a
reduced privilege context. This commit guards the creation of
directories with doPrivileged.

Author: rjernst

docs/changelog/115459.yaml

@@ -0,0 +1,5 @@
+pr: 115459
+summary: Guard blob store local directory creation with `doPrivileged`
+area: Infra/Core
+type: bug
+issues: []

server/src/main/java/org/elasticsearch/common/blobstore/fs/FsBlobStore.java

@@ -18,6 +18,8 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Iterator;
 import java.util.List;
 
@@ -55,11 +57,14 @@ public int bufferSizeInBytes() {
     public BlobContainer blobContainer(BlobPath path) {
         Path f = buildPath(path);
         if (readOnly == false) {
-            try {
-                Files.createDirectories(f);
-            } catch (IOException ex) {
-                throw new ElasticsearchException("failed to create blob container", ex);
-            }
+            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+                try {
+                    Files.createDirectories(f);
+                } catch (IOException ex) {
+                    throw new ElasticsearchException("failed to create blob container", ex);
+                }
+                return null;
+            });
         }
         return new FsBlobContainer(this, path, f);
     }