|
|
20a859 |
From 9855ef36cfbb148918cb223a997445d59f1dd4f7 Mon Sep 17 00:00:00 2001
|
|
|
20a859 |
From: Lars Kellogg-Stedman <lars@redhat.com>
|
|
|
20a859 |
Date: Fri, 7 Apr 2017 18:50:54 -0400
|
|
|
20a859 |
Subject: [PATCH] limit permissions on def_log_file
|
|
|
20a859 |
|
|
|
20a859 |
This sets a default mode of 0600 on def_log_file, and makes this
|
|
|
20a859 |
configurable via the def_log_file_mode option in cloud.cfg.
|
|
|
20a859 |
|
|
|
20a859 |
LP: #1541196
|
|
|
20a859 |
Resolves: rhbz#1424612
|
|
|
20a859 |
X-approved-upstream: true
|
|
|
20a859 |
---
|
|
|
20a859 |
cloudinit/settings.py | 1 +
|
|
|
20a859 |
cloudinit/stages.py | 3 ++-
|
|
|
20a859 |
doc/examples/cloud-config.txt | 4 ++++
|
|
|
20a859 |
3 files changed, 7 insertions(+), 1 deletion(-)
|
|
|
20a859 |
|
|
|
20a859 |
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
|
|
|
20a859 |
index 6d31bb6..0d39aab 100644
|
|
|
20a859 |
--- a/cloudinit/settings.py
|
|
|
20a859 |
+++ b/cloudinit/settings.py
|
|
|
20a859 |
@@ -36,6 +36,7 @@ CFG_BUILTIN = {
|
|
|
20a859 |
'None',
|
|
|
20a859 |
],
|
|
|
20a859 |
'def_log_file': '/var/log/cloud-init.log',
|
|
|
20a859 |
+ 'def_log_file_mode': 0o600,
|
|
|
20a859 |
'log_cfgs': [],
|
|
|
20a859 |
'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],
|
|
|
20a859 |
'ssh_deletekeys': False,
|
|
|
20a859 |
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
|
|
|
20a859 |
index b0552dd..bb20a6f 100644
|
|
|
20a859 |
--- a/cloudinit/stages.py
|
|
|
20a859 |
+++ b/cloudinit/stages.py
|
|
|
20a859 |
@@ -145,8 +145,9 @@ class Init(object):
|
|
|
20a859 |
def _initialize_filesystem(self):
|
|
|
20a859 |
util.ensure_dirs(self._initial_subdirs())
|
|
|
20a859 |
log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
|
|
|
20a859 |
+ log_file_mode = util.get_cfg_option_int(self.cfg, 'def_log_file_mode')
|
|
|
20a859 |
if log_file:
|
|
|
20a859 |
- util.ensure_file(log_file)
|
|
|
20a859 |
+ util.ensure_file(log_file, mode=log_file_mode)
|
|
|
20a859 |
perms = self.cfg.get('syslog_fix_perms')
|
|
|
20a859 |
if not perms:
|
|
|
20a859 |
perms = {}
|
|
|
20a859 |
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
|
|
|
20a859 |
index c5f84b1..8fcce73 100644
|
|
|
20a859 |
--- a/doc/examples/cloud-config.txt
|
|
|
20a859 |
+++ b/doc/examples/cloud-config.txt
|
|
|
20a859 |
@@ -397,10 +397,14 @@ timezone: US/Eastern
|
|
|
20a859 |
# if syslog_fix_perms is a list, it will iterate through and use the
|
|
|
20a859 |
# first pair that does not raise error.
|
|
|
20a859 |
#
|
|
|
20a859 |
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
|
|
|
20a859 |
+# is specified as a numeric value and defaults to 0600.
|
|
|
20a859 |
+#
|
|
|
20a859 |
# the default values are '/var/log/cloud-init.log' and 'syslog:adm'
|
|
|
20a859 |
# the value of 'def_log_file' should match what is configured in logging
|
|
|
20a859 |
# if either is empty, then no change of ownership will be done
|
|
|
20a859 |
def_log_file: /var/log/my-logging-file.log
|
|
|
20a859 |
+def_log_file_mode: 0600
|
|
|
20a859 |
syslog_fix_perms: syslog:root
|
|
|
20a859 |
|
|
|
20a859 |
# you can set passwords for a user or multiple users
|