20a859
From 9855ef36cfbb148918cb223a997445d59f1dd4f7 Mon Sep 17 00:00:00 2001
20a859
From: Lars Kellogg-Stedman <lars@redhat.com>
20a859
Date: Fri, 7 Apr 2017 18:50:54 -0400
20a859
Subject: [PATCH] limit permissions on def_log_file
20a859
20a859
This sets a default mode of 0600 on def_log_file, and makes this
20a859
configurable via the def_log_file_mode option in cloud.cfg.
20a859
20a859
LP: #1541196
20a859
Resolves: rhbz#1424612
20a859
X-approved-upstream: true
20a859
---
20a859
 cloudinit/settings.py         | 1 +
20a859
 cloudinit/stages.py           | 3 ++-
20a859
 doc/examples/cloud-config.txt | 4 ++++
20a859
 3 files changed, 7 insertions(+), 1 deletion(-)
20a859
20a859
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
20a859
index 6d31bb6..0d39aab 100644
20a859
--- a/cloudinit/settings.py
20a859
+++ b/cloudinit/settings.py
20a859
@@ -36,6 +36,7 @@ CFG_BUILTIN = {
20a859
         'None',
20a859
     ],
20a859
     'def_log_file': '/var/log/cloud-init.log',
20a859
+    'def_log_file_mode': 0o600,
20a859
     'log_cfgs': [],
20a859
     'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],
20a859
     'ssh_deletekeys': False,
20a859
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
20a859
index b0552dd..bb20a6f 100644
20a859
--- a/cloudinit/stages.py
20a859
+++ b/cloudinit/stages.py
20a859
@@ -145,8 +145,9 @@ class Init(object):
20a859
     def _initialize_filesystem(self):
20a859
         util.ensure_dirs(self._initial_subdirs())
20a859
         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
20a859
+        log_file_mode = util.get_cfg_option_int(self.cfg, 'def_log_file_mode')
20a859
         if log_file:
20a859
-            util.ensure_file(log_file)
20a859
+            util.ensure_file(log_file, mode=log_file_mode)
20a859
             perms = self.cfg.get('syslog_fix_perms')
20a859
             if not perms:
20a859
                 perms = {}
20a859
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
20a859
index c5f84b1..8fcce73 100644
20a859
--- a/doc/examples/cloud-config.txt
20a859
+++ b/doc/examples/cloud-config.txt
20a859
@@ -397,10 +397,14 @@ timezone: US/Eastern
20a859
 # if syslog_fix_perms is a list, it will iterate through and use the
20a859
 # first pair that does not raise error.
20a859
 #
20a859
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
20a859
+# is specified as a numeric value and defaults to 0600.
20a859
+#
20a859
 # the default values are '/var/log/cloud-init.log' and 'syslog:adm'
20a859
 # the value of 'def_log_file' should match what is configured in logging
20a859
 # if either is empty, then no change of ownership will be done
20a859
 def_log_file: /var/log/my-logging-file.log
20a859
+def_log_file_mode: 0600
20a859
 syslog_fix_perms: syslog:root
20a859
 
20a859
 # you can set passwords for a user or multiple users