1160f5
From 40ad855b883050069393b9c00db2a6d222d949db Mon Sep 17 00:00:00 2001
d9e4dd
From: Eduardo Otubo <otubo@redhat.com>
d9e4dd
Date: Fri, 7 May 2021 13:36:08 +0200
d9e4dd
Subject: limit permissions on def_log_file
d9e4dd
d9e4dd
This sets a default mode of 0600 on def_log_file, and makes this
d9e4dd
configurable via the def_log_file_mode option in cloud.cfg.
d9e4dd
d9e4dd
LP: #1541196
d9e4dd
Resolves: rhbz#1424612
d9e4dd
X-approved-upstream: true
d9e4dd
d9e4dd
Conflicts 21.1:
d9e4dd
    cloudinit/stages.py: adjusting call of ensure_file() to use more
d9e4dd
recent version
d9e4dd
d9e4dd
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
d9e4dd
---
d9e4dd
 cloudinit/settings.py         | 1 +
d9e4dd
 cloudinit/stages.py           | 1 +
d9e4dd
 doc/examples/cloud-config.txt | 4 ++++
d9e4dd
 3 files changed, 6 insertions(+)
d9e4dd
d9e4dd
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
1160f5
index a780e21e..aa2d6b95 100644
d9e4dd
--- a/cloudinit/settings.py
d9e4dd
+++ b/cloudinit/settings.py
1160f5
@@ -49,6 +49,7 @@ CFG_BUILTIN = {
1160f5
         "None",
d9e4dd
     ],
d9e4dd
     'def_log_file': '/var/log/cloud-init.log',
d9e4dd
+    'def_log_file_mode': 0o600,
d9e4dd
     'log_cfgs': [],
d9e4dd
     'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],
d9e4dd
     'ssh_deletekeys': False,
d9e4dd
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
1160f5
index 3f17294b..61db1dbd 100644
d9e4dd
--- a/cloudinit/stages.py
d9e4dd
+++ b/cloudinit/stages.py
1160f5
@@ -205,6 +205,7 @@ class Init(object):
d9e4dd
     def _initialize_filesystem(self):
d9e4dd
         util.ensure_dirs(self._initial_subdirs())
1160f5
         log_file = util.get_cfg_option_str(self.cfg, "def_log_file")
1160f5
+        log_file_mode = util.get_cfg_option_int(self.cfg, "def_log_file_mode")
d9e4dd
         if log_file:
1160f5
             util.ensure_file(log_file, mode=0o640, preserve_mode=True)
1160f5
             perms = self.cfg.get("syslog_fix_perms")
d9e4dd
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
1160f5
index a2b4a3fa..0ccf3147 100644
d9e4dd
--- a/doc/examples/cloud-config.txt
d9e4dd
+++ b/doc/examples/cloud-config.txt
d9e4dd
@@ -414,10 +414,14 @@ timezone: US/Eastern
d9e4dd
 # if syslog_fix_perms is a list, it will iterate through and use the
d9e4dd
 # first pair that does not raise error.
d9e4dd
 #
d9e4dd
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
d9e4dd
+# is specified as a numeric value and defaults to 0600.
d9e4dd
+#
d9e4dd
 # the default values are '/var/log/cloud-init.log' and 'syslog:adm'
d9e4dd
 # the value of 'def_log_file' should match what is configured in logging
d9e4dd
 # if either is empty, then no change of ownership will be done
d9e4dd
 def_log_file: /var/log/my-logging-file.log
d9e4dd
+def_log_file_mode: 0600
d9e4dd
 syslog_fix_perms: syslog:root
d9e4dd
 
d9e4dd
 # you can set passwords for a user or multiple users
d9e4dd
-- 
1160f5
2.31.1
d9e4dd