cloud-init resets permissions on log file after reboot
Bug #1900837 reported by
Richard Harding
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
High
|
Dan Watkins |
Bug Description
In attempting to apply CIS security guidelines onto an Ubuntu system it was found that changing the log files in /var/log to 640, that on a reboot cloud-init would reset the permissions to 644. As long as cloud-init can write to the file it should be ok to alter the permissions without issue.
Changed in cloud-init: | |
status: | Triaged → In Progress |
assignee: | nobody → Dan Watkins (oddbloke) |
To post a comment you must log in.
When it runs on each boot, specifically in the init stages (i.e. when the `cloud- init-local. service` and `cloud- init.service` systemd units run), cloud-init executes `ensure_file`[0] on `/var/log/ cloud-init. log` and in so doing resets the permissions to 644.
I am fairly confident that this resetting of the permissions is not intentional; I can't think of a compelling reason to do that, so I expect we can stop doing it.
I believe the fix is fairly simple: `write_file` (which `ensure_file` uses) has a `preserve_mode` parameter which defaults to `False`. We should expose that in `ensure_file` and pass `preserve_ mode=True` when calling `ensure_file` for `cloud-init.log`. Then it will be created
world-readable if it does not already exist, but its permissions will not be modified if it does.
[0] https:/ /github. com/canonical/ cloud-init/ blob/master/ cloudinit/ util.py# L1807-L1808