bb836b
From 6134624f10ef56534e37624adc12f11b09910591 Mon Sep 17 00:00:00 2001
2b0ae0
From: Eduardo Otubo <otubo@redhat.com>
bb836b
Date: Fri, 7 May 2021 13:36:08 +0200
18322d
Subject: limit permissions on def_log_file
18322d
18322d
This sets a default mode of 0600 on def_log_file, and makes this
18322d
configurable via the def_log_file_mode option in cloud.cfg.
18322d
18322d
LP: #1541196
18322d
Resolves: rhbz#1424612
18322d
X-approved-upstream: true
2b0ae0
bb836b
Conflicts 21.1:
bb836b
    cloudinit/stages.py: adjusting call of ensure_file() to use more
bb836b
recent version
bb836b
2b0ae0
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
18322d
---
18322d
 cloudinit/settings.py         | 1 +
bb836b
 cloudinit/stages.py           | 1 +
18322d
 doc/examples/cloud-config.txt | 4 ++++
bb836b
 3 files changed, 6 insertions(+)
18322d
18322d
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
bb836b
index e690c0fd..43a1490c 100644
18322d
--- a/cloudinit/settings.py
18322d
+++ b/cloudinit/settings.py
bb836b
@@ -46,6 +46,7 @@ CFG_BUILTIN = {
18322d
         'None',
18322d
     ],
18322d
     'def_log_file': '/var/log/cloud-init.log',
18322d
+    'def_log_file_mode': 0o600,
18322d
     'log_cfgs': [],
18322d
     'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],
18322d
     'ssh_deletekeys': False,
18322d
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
bb836b
index 3ef4491c..83e25dd1 100644
18322d
--- a/cloudinit/stages.py
18322d
+++ b/cloudinit/stages.py
bb836b
@@ -147,6 +147,7 @@ class Init(object):
18322d
     def _initialize_filesystem(self):
18322d
         util.ensure_dirs(self._initial_subdirs())
18322d
         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
18322d
+        log_file_mode = util.get_cfg_option_int(self.cfg, 'def_log_file_mode')
18322d
         if log_file:
bb836b
             util.ensure_file(log_file, preserve_mode=True)
18322d
             perms = self.cfg.get('syslog_fix_perms')
18322d
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
bb836b
index de9a0f87..bb33ad45 100644
18322d
--- a/doc/examples/cloud-config.txt
18322d
+++ b/doc/examples/cloud-config.txt
2b0ae0
@@ -414,10 +414,14 @@ timezone: US/Eastern
18322d
 # if syslog_fix_perms is a list, it will iterate through and use the
18322d
 # first pair that does not raise error.
18322d
 #
18322d
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
18322d
+# is specified as a numeric value and defaults to 0600.
18322d
+#
18322d
 # the default values are '/var/log/cloud-init.log' and 'syslog:adm'
18322d
 # the value of 'def_log_file' should match what is configured in logging
18322d
 # if either is empty, then no change of ownership will be done
18322d
 def_log_file: /var/log/my-logging-file.log
18322d
+def_log_file_mode: 0600
18322d
 syslog_fix_perms: syslog:root
18322d
 
18322d
 # you can set passwords for a user or multiple users
18322d
-- 
bb836b
2.27.0
18322d