Comment 0 for bug 1458052

When provisioning a virtual machine on Azure, a user password may be provided. Cloud-init retrieves the password via ovf-env.xml (stored on a CDROM) which is then written to /var/lib/waagent/ovf-env.xml for later consumption by the WALinuxAgent. After first boot provisioning the user password is not needed by cloud-init.

While the password is stored in plain text on disk, the password is _NOT_ accessible to a non-privelaged user. Both the directory and the file
itself are read-only:

$ stat /var/lib/waagent/
  File: ‘/var/lib/waagent/’
  Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2532 Links: 2
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-04-13 11:44:08.021992200 +0000
Modify: 2015-04-13 11:44:11.341805500 +0000
Change: 2015-04-13 11:44:11.341805500 +0000
 Birth: -

$ sudo stat /var/lib/waagent/ovf-env.xml
  File: ‘/var/lib/waagent/ovf-env.xml’
  Size: 1633 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 2556 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-04-13 11:44:08.021992200 +0000
Modify: 2015-04-13 11:44:08.021992200 +0000
Change: 2015-04-13 11:44:08.021992200 +0000
 Birth: -

However, because the fabric presents /dev/sr0 (which contains ovf-env.xml) until the machine reboots, even if cloud-init masked the password, a non-privileged user may be able to read the password via /dev/sr0 (i.e. strings /dev/sr0 | grep UserPassword).

Canonical's guidance on this matter is that any password provided by a fabric is inherently insecure; users should leverage SSH keys.