cloud-init team mailing list archive

[Brett Holman <brett.holman@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello cloud-init community,

The cloud-init development team is considering a change to cloud-init
that affects users and distributions. We would like to to make sure
that the change being considered gets the opportunity for community input.


Background:
===========
Cloud-init executes as a privileged service as part of system boot.
This is required for many of the operations that cloud-init is
commonly responsible for, including user creation, disk partitioning,
filesystem creation, package install, etc.


Problem:
========
Cloud-init operates on and with potentially sensitive data, however it
writes logging information in a world-readable file, cloud-init.log.

Operating at a privileged security level but logging to files that
unprivileged users can read from creates potential for sensitive data
leaks, and this has led to multiple security vulnerabilities[1][2].


Proposal:
=========
The cloud-init team would like to change /var/log/cloud-init.log to be
read-only by only root and the admin group members (wheel, adm, etc, depending
on your distro/os).

On Ubuntu this change would change the log file in the following way.

from:

	-rw-r--r-- 1 syslog adm 874118 Jul 29 13:50 /var/log/cloud-init.log

into:

	-rw-r----- 1 root adm 874118 Jul 29 13:50 /var/log/cloud-init.log


Considerations:
===============
Currently all non-root users have access to /var/log/cloud-init.log. This
change would limit access to the file, which is currently more conveniently
accessible. User re-configuration may be necessary in some cases when users
don't already have admin group membership or access via sudo.

This will significantly reduce the likelihood of future security
vulnerabilities.


How this would affect Ubuntu:
=============================

Since this would represent a breaking change, it will not be
backported to existing releases


Best,
Brett Holman

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2084
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOj7zTf3ts7fz/fYD+D93EppevYUFAmMjpOAACgkQ+D93Eppe
vYUhFQ/+J/+4ECymRPzaPYA23D3U66vR0COd/qFpAb0AIhhJlnrHq234YUW0/KqZ
uq9o1o9Kuz9XzRM8qUAgA+kbmOXYvj26VTxzegctRR65Qhea+5szftWpu1mYbGRp
9T/Q0tiYQZXo/Bj6wkJNnnGPvuwj1+zyR+MpL1hCTCsBN+d1lv+G7a3jE0LInRUn
I8IT4vbfdwI2m/KI6ft9ErHRP5aE8+uay44OH3mqD+ckxUyOBWRGOPNAm2NYqR6U
u6bkOO3o9Dmz0n6dwsfPLdobvezEOU+Y+fUCseZ/xe0ehGJXC+8pEv9lMj+jmy/Z
T8PZDSqMXtDvTMaRUsKI380p7tvaRjVDULmK0e/EZ6XMfePlsfN0jB+02FaVciAR
FmWg4AJYBi0YeYHiekK4xlhycsJHlxQ9kdEAPupdq6uApldjzWaCdEYBADcKXxo9
X/QElXBWTYJuE/yOWPgX2bL+pRDTQ9LMt+QxrMAMNt11UHgLE0DwGMYTGYugEsiP
HPthlT0wj6DMzpzEeNCFaHzchIC7OvkNMFRIUJ+drHQCWq8bY8gPpfxWIcSt/tRF
j911yrhkAqYZUuNhcVzTEjfrP9lcUxDv5OPI7AYJ13S1kxXzVwC1+kPjyTjq6xei
0jUdTvJBGdIGjJP45T71eKjg6fPB5RoslWgcwTihN2vKHO+FiHk=
=Je13
-----END PGP SIGNATURE-----