cloud-init

Create log file should not explicitly set file mode - it should use the OS umask

Bug #1844983 reported by ChrisA on 2019-09-23

This bug report is a duplicate of: Bug #1541196: Limit file permissions on /var/log/cloud-init.log. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	New	Undecided	Unassigned

Bug Description

In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to create the log file via util.ensure_file(log_file) the file mode is explicitly set to Oo644. This is poor for the security of the system as the file is world readable and thus fails the CIS benchmarks for the OS.

A suggested remedy is within cloudinit/util.py#L1879 to not call chmod(filename, mode) and rely on the OS value of umask when creating log files.

Alternatively the mode for log files could be exposed via the config.

Revision history for this message

Scott Moser (smoser) wrote on 2019-09-23:

Marked as a dupe, please un-dupe if you think thats wrong.

Revision history for this message

ChrisA (chrisdpa) wrote on 2019-09-23:

See workaround in the linked dupe too.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1541196 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.