cloud-init team mailing list archive
-
cloud-init team
-
Mailing list archive
-
Message #00421
Re: [Request for Comments] Permissions and Ownership Changes to Log Files
-
To:
cloud-init@xxxxxxxxxxxxxxxxxxx, Brett Holman <brett.holman@xxxxxxxxxxxxx>
-
From:
rhornsby@xxxxxxxx
-
Date:
Fri, 16 Sep 2022 11:28:02 -0500
-
Arc-authentication-results:
i=1; rspamd-686945db84-ljnp6; auth=pass smtp.auth=dreamhost smtp.mailfrom=rhornsby@xxxxxxxx
-
Arc-message-signature:
i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1663345690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=z8x7S4FY0oQoyQFD5srH2vLYrnDFiwoZtXIPtn2/1iY=; b=JwTU67B4OUR8DtLd5RfvUOWeibwY061LXXysqapVUCNdMN52YMyEC0zxzTlWp5goVRoi+3 1LlBlb2T53zKZbmw278FvzZIip9oHXp1vXuA7aihlhiTggtmlLgCu3/4wSLmPMYFQUricA 0GKr2uuh2QcR4ErJ1p2iROBP/Voww7qc+W/m2T0PgudCeztOfu4pVK/jaOKBVueYPyvSHD fADTl2Lg8JTgF5CHI+lO2Edn0igBpbcGYYAcltxEL7v6JvieUZcIohAHF4/HxhUPamxsxk CibBTAj4SKSlDP8fuUY3X7cnBb0QJYHvITEG9ZinaswYqxz8BP6C5ZjfaWJs1w==
-
Arc-seal:
i=1; s=arc-2022; d=mailchannels.net; t=1663345690; a=rsa-sha256; cv=none; b=km4/pne22Swt2oakniYXRx6DgTys5QJyIBvFyvgROGHmx3KEeVvt0+DoJQE08sV28GFXuv fUDVsOKueLIUbdVBZf2eGVtd5BtDhib3dWTBxX1lsqOhlL/BMcwb8++U7mrNDJLl5UNrGn mxQ/o4AOuAMYGjUlr2jjyJOpjF7HYg5ETagj5azWg8w6K4AHohJ7Tw2WQlBUcXRhkEDsuI C0jsr8bpZiVXKzAJWiO+aNB8RJeBMeZGnvTDuwKSl39SI+BqGBL2ZaQGlpLu8Ol1yw+oiE sBtCBknklNqEkm14CkeubgXrzKoftJMHQX3RoZ78XOS2STRUr9Aq+5Px/Ji3nw==
-
In-reply-to:
<20220915222257.zsgcoajz5sqjlvyn@isa>
On Sep 15, 2022, 17:23 -0500, Brett Holman <brett.holman@xxxxxxxxxxxxx>, wrote:
> Operating at a privileged security level but logging to files that
> unprivileged users can read from creates potential for sensitive data
> leaks, and this has led to multiple security vulnerabilities[1][2].
Both [1] and [2] seem to be hidden, I guess? "This candidate has been reserved by an organization or individual that will use it when announcing a new security problem."
> Proposal:
> =========
> The cloud-init team would like to change /var/log/cloud-init.log to be
> read-only by only root and the admin group members (wheel, adm, etc, depending
> on your distro/os).
>
> On Ubuntu this change would change the log file in the following way.
>
> from:
>
> -rw-r--r-- 1 syslog adm 874118 Jul 29 13:50 /var/log/cloud-init.log
>
> into:
>
> -rw-r----- 1 root adm 874118 Jul 29 13:50 /var/log/cloud-init.log
It's inconvenient that some distros drop world read from /var/log/messages and /var/log/syslog probably because for so many years I've been doing less or tail /var/log/messages without sudo (or specific group membership). That said, I understand why it's moved from 644 to 640, and I understand why cloud-init is proposing the same.
It's probably a good idea, +1.
Follow ups
References
