cloud-init resets permissions on log file after reboot

Bug #1900837 reported by Richard Harding
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Dan Watkins

Bug Description

In attempting to apply CIS security guidelines onto an Ubuntu system it was found that changing the log files in /var/log to 640, that on a reboot cloud-init would reset the permissions to 644. As long as cloud-init can write to the file it should be ok to alter the permissions without issue.

Revision history for this message
Dan Watkins (oddbloke) wrote :

When it runs on each boot, specifically in the init stages (i.e. when the `cloud-init-local.service` and `cloud-init.service` systemd units run), cloud-init executes `ensure_file`[0] on `/var/log/cloud-init.log` and in so doing resets the permissions to 644.

I am fairly confident that this resetting of the permissions is not intentional; I can't think of a compelling reason to do that, so I expect we can stop doing it.

I believe the fix is fairly simple: `write_file` (which `ensure_file` uses) has a `preserve_mode` parameter which defaults to `False`. We should expose that in `ensure_file` and pass `preserve_mode=True` when calling `ensure_file` for `cloud-init.log`. Then it will be created
world-readable if it does not already exist, but its permissions will not be modified if it does.


Dan Watkins (oddbloke)
Changed in cloud-init:
status: Triaged → In Progress
assignee: nobody → Dan Watkins (oddbloke)
Revision history for this message
Dan Watkins (oddbloke) wrote :

I've just opened a PR for this:

Revision history for this message
Dan Watkins (oddbloke) wrote :
Changed in cloud-init:
status: In Progress → Fix Committed
Revision history for this message
Chad Smith (chad.smith) wrote : Fixed in cloud-init version 20.4.

This bug is believed to be fixed in cloud-init in version 20.4. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.