cloud-init team mailing list archive
Mailing list archive
[Request for Comments] Permissions and Ownership Changes to Log Files
-----BEGIN PGP SIGNED MESSAGE-----
Hello cloud-init community,
The cloud-init development team is considering a change to cloud-init
that affects users and distributions. We would like to to make sure
that the change being considered gets the opportunity for community input.
Cloud-init executes as a privileged service as part of system boot.
This is required for many of the operations that cloud-init is
commonly responsible for, including user creation, disk partitioning,
filesystem creation, package install, etc.
Cloud-init operates on and with potentially sensitive data, however it
writes logging information in a world-readable file, cloud-init.log.
Operating at a privileged security level but logging to files that
unprivileged users can read from creates potential for sensitive data
leaks, and this has led to multiple security vulnerabilities.
The cloud-init team would like to change /var/log/cloud-init.log to be
read-only by only root and the admin group members (wheel, adm, etc, depending
on your distro/os).
On Ubuntu this change would change the log file in the following way.
-rw-r--r-- 1 syslog adm 874118 Jul 29 13:50 /var/log/cloud-init.log
-rw-r----- 1 root adm 874118 Jul 29 13:50 /var/log/cloud-init.log
Currently all non-root users have access to /var/log/cloud-init.log. This
change would limit access to the file, which is currently more conveniently
accessible. User re-configuration may be necessary in some cases when users
don't already have admin group membership or access via sudo.
This will significantly reduce the likelihood of future security
How this would affect Ubuntu:
Since this would represent a breaking change, it will not be
backported to existing releases
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----