cloud-init/SOURCES/0003-limit-permissions-on-def_log_file.patch

From fa8f782f5dd24e81f7072bfc24c75340f0972af5 Mon Sep 17 00:00:00 2001
From: Lars Kellogg-Stedman <lars@redhat.com>
Date: Fri, 7 Apr 2017 18:50:54 -0400
Subject: limit permissions on def_log_file

This sets a default mode of 0600 on def_log_file, and makes this
configurable via the def_log_file_mode option in cloud.cfg.

LP: #1541196
Resolves: rhbz#1424612
X-approved-upstream: true
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 cloudinit/settings.py         | 1 +
 cloudinit/stages.py           | 3 ++-
 doc/examples/cloud-config.txt | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cloudinit/settings.py b/cloudinit/settings.py
index c5367687..d982a4d6 100644
--- a/cloudinit/settings.py
+++ b/cloudinit/settings.py
@@ -43,6 +43,7 @@ CFG_BUILTIN = {
         'None',
     ],
     'def_log_file': '/var/log/cloud-init.log',
+    'def_log_file_mode': 0o600,
     'log_cfgs': [],
     'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],
     'ssh_deletekeys': False,
diff --git a/cloudinit/stages.py b/cloudinit/stages.py
index 8a064124..4f15484d 100644
--- a/cloudinit/stages.py
+++ b/cloudinit/stages.py
@@ -148,8 +148,9 @@ class Init(object):
     def _initialize_filesystem(self):
         util.ensure_dirs(self._initial_subdirs())
         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+        log_file_mode = util.get_cfg_option_int(self.cfg, 'def_log_file_mode')
         if log_file:
-            util.ensure_file(log_file)
+            util.ensure_file(log_file, mode=log_file_mode)
             perms = self.cfg.get('syslog_fix_perms')
             if not perms:
                 perms = {}
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
index eb84dcf5..0e82b83e 100644
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
@@ -413,10 +413,14 @@ timezone: US/Eastern
 # if syslog_fix_perms is a list, it will iterate through and use the
 # first pair that does not raise error.
 #
+# 'def_log_file' will be created with mode 'def_log_file_mode', which
+# is specified as a numeric value and defaults to 0600.
+#
 # the default values are '/var/log/cloud-init.log' and 'syslog:adm'
 # the value of 'def_log_file' should match what is configured in logging
 # if either is empty, then no change of ownership will be done
 def_log_file: /var/log/my-logging-file.log
+def_log_file_mode: 0600
 syslog_fix_perms: syslog:root
 
 # you can set passwords for a user or multiple users
-- 
2.20.1
import cloud-init-18.5-4.el8 2019-07-30 03:40:16 +00:00			`From fa8f782f5dd24e81f7072bfc24c75340f0972af5 Mon Sep 17 00:00:00 2001`
			`From: Lars Kellogg-Stedman <lars@redhat.com>`
			`Date: Fri, 7 Apr 2017 18:50:54 -0400`
			`Subject: limit permissions on def_log_file`

			`This sets a default mode of 0600 on def_log_file, and makes this`
			`configurable via the def_log_file_mode option in cloud.cfg.`

			`LP: #1541196`
			`Resolves: rhbz#1424612`
			`X-approved-upstream: true`
			`Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>`
			`---`
			`cloudinit/settings.py \| 1 +`
			`cloudinit/stages.py \| 3 ++-`
			`doc/examples/cloud-config.txt \| 4 ++++`
			`3 files changed, 7 insertions(+), 1 deletion(-)`

			`diff --git a/cloudinit/settings.py b/cloudinit/settings.py`
			`index c5367687..d982a4d6 100644`
			`--- a/cloudinit/settings.py`
			`+++ b/cloudinit/settings.py`
			`@@ -43,6 +43,7 @@ CFG_BUILTIN = {`
			`'None',`
			`],`
			`'def_log_file': '/var/log/cloud-init.log',`
			`+ 'def_log_file_mode': 0o600,`
			`'log_cfgs': [],`
			`'mount_default_fields': [None, None, 'auto', 'defaults,nofail', '0', '2'],`
			`'ssh_deletekeys': False,`
			`diff --git a/cloudinit/stages.py b/cloudinit/stages.py`
			`index 8a064124..4f15484d 100644`
			`--- a/cloudinit/stages.py`
			`+++ b/cloudinit/stages.py`
			`@@ -148,8 +148,9 @@ class Init(object):`
			`def _initialize_filesystem(self):`
			`util.ensure_dirs(self._initial_subdirs())`
			`log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')`
			`+ log_file_mode = util.get_cfg_option_int(self.cfg, 'def_log_file_mode')`
			`if log_file:`
			`- util.ensure_file(log_file)`
			`+ util.ensure_file(log_file, mode=log_file_mode)`
			`perms = self.cfg.get('syslog_fix_perms')`
			`if not perms:`
			`perms = {}`
			`diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt`
			`index eb84dcf5..0e82b83e 100644`
			`--- a/doc/examples/cloud-config.txt`
			`+++ b/doc/examples/cloud-config.txt`
			`@@ -413,10 +413,14 @@ timezone: US/Eastern`
			`# if syslog_fix_perms is a list, it will iterate through and use the`
			`# first pair that does not raise error.`
			`#`
			`+# 'def_log_file' will be created with mode 'def_log_file_mode', which`
			`+# is specified as a numeric value and defaults to 0600.`
			`+#`
			`# the default values are '/var/log/cloud-init.log' and 'syslog:adm'`
			`# the value of 'def_log_file' should match what is configured in logging`
			`# if either is empty, then no change of ownership will be done`
			`def_log_file: /var/log/my-logging-file.log`
			`+def_log_file_mode: 0600`
			`syslog_fix_perms: syslog:root`

			`# you can set passwords for a user or multiple users`
			`--`
			`2.20.1`