Limit file permissions on /var/log/cloud-init.log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Committed
|
Low
|
Unassigned |
Bug Description
It seems that both /var/log/
```
brandon@:~$ ls -al /var/log/
-rw-r--r-- 1 syslog adm 1060887 Jan 26 05:23 /var/log/
-rw-r--r-- 1 root root 18666 Jan 26 05:23 /var/log/
```
Are there concerns with these being publicly readable? I don't have any specific examples of confidential information that may be exposed via these logs, but wouldn't it seem prudent to limit file permissions in case there was some unintended secrets output from another application or user-defined scripts that are run via cloudinit?
Related branches
- Scott Moser: Needs Fixing
- Server Team CI bot: Approve (continuous-integration)
-
Diff: 46 lines (+7/-1)3 files modifiedcloudinit/settings.py (+1/-0)
cloudinit/stages.py (+2/-1)
doc/examples/cloud-config.txt (+4/-0)
Changed in cloud-init: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in cloud-init: | |
status: | Confirmed → Triaged |
Changed in cloud-init: | |
status: | Triaged → Fix Committed |
Hi, thanks for the bug report. I've marked this as low.
The log should only put non-sensitive information. cloud-init log may be able to set permissionsn on the file as it uses python fileConfig to do so.
It would be nice to have output able to set the permissions.