cloud-init/SOURCES/0003-limit-permissions-on-def_log_file.patch

70 lines
2.5 KiB
Diff
Raw Normal View History

2022-11-08 06:38:55 +00:00
From cb7b35ca10c82c9725c3527e3ec5fb8cb7c61bc0 Mon Sep 17 00:00:00 2001
2021-05-18 06:46:09 +00:00
From: Eduardo Otubo <otubo@redhat.com>
2021-11-09 09:52:07 +00:00
Date: Fri, 7 May 2021 13:36:08 +0200
2021-04-06 13:33:04 +00:00
Subject: limit permissions on def_log_file
This sets a default mode of 0600 on def_log_file, and makes this
configurable via the def_log_file_mode option in cloud.cfg.
LP: #1541196
Resolves: rhbz#1424612
X-approved-upstream: true
2021-05-18 06:46:09 +00:00
2021-11-09 09:52:07 +00:00
Conflicts 21.1:
cloudinit/stages.py: adjusting call of ensure_file() to use more
recent version
2021-05-18 06:46:09 +00:00
Signed-off-by: Eduardo Otubo <otubo@redhat.com>
2021-04-06 13:33:04 +00:00
---
cloudinit/settings.py | 1 +
2021-11-09 09:52:07 +00:00
cloudinit/stages.py | 1 +
2021-04-06 13:33:04 +00:00
doc/examples/cloud-config.txt | 4 ++++
2021-11-09 09:52:07 +00:00
3 files changed, 6 insertions(+)
2021-04-06 13:33:04 +00:00
diff --git a/cloudinit/settings.py b/cloudinit/settings.py
2022-11-08 06:38:55 +00:00
index 39650a5b..3c2145e9 100644
2021-04-06 13:33:04 +00:00
--- a/cloudinit/settings.py
+++ b/cloudinit/settings.py
2022-11-08 06:38:55 +00:00
@@ -49,6 +49,7 @@ CFG_BUILTIN = {
"None",
2021-04-06 13:33:04 +00:00
],
2022-11-08 06:38:55 +00:00
"def_log_file": "/var/log/cloud-init.log",
+ "def_log_file_mode": 0o600,
"log_cfgs": [],
"mount_default_fields": [None, None, "auto", "defaults,nofail", "0", "2"],
"ssh_deletekeys": False,
2021-04-06 13:33:04 +00:00
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
2022-11-08 06:38:55 +00:00
index 3f17294b..61db1dbd 100644
2021-04-06 13:33:04 +00:00
--- a/cloudinit/stages.py
+++ b/cloudinit/stages.py
2022-11-08 06:38:55 +00:00
@@ -205,6 +205,7 @@ class Init(object):
2021-04-06 13:33:04 +00:00
def _initialize_filesystem(self):
util.ensure_dirs(self._initial_subdirs())
2022-11-08 06:38:55 +00:00
log_file = util.get_cfg_option_str(self.cfg, "def_log_file")
+ log_file_mode = util.get_cfg_option_int(self.cfg, "def_log_file_mode")
2021-04-06 13:33:04 +00:00
if log_file:
2022-11-08 06:38:55 +00:00
util.ensure_file(log_file, mode=0o640, preserve_mode=True)
perms = self.cfg.get("syslog_fix_perms")
2021-04-06 13:33:04 +00:00
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
2022-11-08 06:38:55 +00:00
index a2b4a3fa..0ccf3147 100644
2021-04-06 13:33:04 +00:00
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
2021-05-18 06:46:09 +00:00
@@ -414,10 +414,14 @@ timezone: US/Eastern
2021-04-06 13:33:04 +00:00
# if syslog_fix_perms is a list, it will iterate through and use the
# first pair that does not raise error.
#
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
+# is specified as a numeric value and defaults to 0600.
+#
# the default values are '/var/log/cloud-init.log' and 'syslog:adm'
# the value of 'def_log_file' should match what is configured in logging
# if either is empty, then no change of ownership will be done
def_log_file: /var/log/my-logging-file.log
+def_log_file_mode: 0600
syslog_fix_perms: syslog:root
# you can set passwords for a user or multiple users
--
2022-11-08 06:38:55 +00:00
2.31.1
2021-04-06 13:33:04 +00:00