network v2: do not render world-readable netplan when wifi or auth config contains sensitive passwords

Bug #1981646 reported by Chad Smith
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description supports wifi password and auto client-key-password keys which should generally not be world-readable.

But, when rendering passthrough V2 network configuration, cloud-init emits a single /etc/netplan/50-cloud-init.yaml file that is world readable.

If network v2 config contains sensitive password keys it may make sense for cloud-init to either:

1. Make /etc/netplan/50-cloud-init.yaml only root-readable
- OR -
2. Write a world-readable /etc/netplan/50-cloud-init.yaml containing all keys except wifis and auth and a root-readable /etc/netplan/50-cloud-init-sensitive.yaml which would contain any security sensitive config content.

Tags: fr-2562
James Falcon (falcojr)
Changed in cloud-init:
status: New → Triaged
Revision history for this message
Chad Smith (chad.smith) wrote (last edit ):

Alternative solution to this could be if grows a new root-only directory option that defines a schema for storing sensitive information like credentials. Not sure if this is something would plan to grow or not. Tagging on this bug as an FYI `wishlist` in case future feature work goes this direction.

The features that may be nice from netplan frm a usability standpoint:
 1. documented policy that suggests chmod 600 on any netplan YAML
 2. Instrumented policy in `netplan generate` or `netplan apply` that warns about world-readable files consumed which happen to contain security-related keys.
 3. Ideally, sensitive YAML content root-only files wouldn't live in with world-readable content in /etc/netplan/* files. Possibly define a sensitive/security/credentials subdirectory/schema that could contain the security bits.

This is probably not the bug to file against as it contains multiple feature request, but I wanted to track the sentiment in case that effort is becomes something desireable for netplan (and thereby affecting how cloud-init should write out sensitive files).

Lukas Märdian (slyon)
tags: added: fr-2562
Lukas Märdian (slyon)
Changed in netplan:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you for the suggestions in comment #1.

(2) has been implemented in:

(1) got implemented just now, to be reflected in our docs:

I'll keep this bug open as a feature request (wishlist) to consider the implementation of (3)

Revision history for this message
Alex Dehnert (adehnert) wrote :

Any chance of getting the cloud-init side of this fixed? It's disconcerting to find my wifi passwords world-readable, and according to the comment at the top of the file:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot.

That suggests I can't just fix the permissions and leave it alone. (OTOH, actually changing that file doesn't seem to have my changes, to either permissions or content, overwritten.)

Revision history for this message
James Falcon (falcojr) wrote :

The cloud-init side of this is is available on Ubuntu 23.04+. Older releases will not see this functionality as to not break backwards compatibility.

Change landed in .

Changed in cloud-init:
status: Triaged → Fix Released
Revision history for this message
Alex Dehnert (adehnert) wrote :


Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.