← Back to team overview

cloud-init team mailing list archive

Re: [Request for Comments] Permissions and Ownership Changes to Log Files


On Sep 15, 2022, 17:23 -0500, Brett Holman <brett.holman@xxxxxxxxxxxxx>, wrote:
> Operating at a privileged security level but logging to files that
> unprivileged users can read from creates potential for sensitive data
> leaks, and this has led to multiple security vulnerabilities[1][2].

Both [1] and [2] seem to be hidden, I guess? "This candidate has been reserved by an organization or individual that will use it when announcing a new security problem."
> Proposal:
> =========
> The cloud-init team would like to change /var/log/cloud-init.log to be
> read-only by only root and the admin group members (wheel, adm, etc, depending
> on your distro/os).
> On Ubuntu this change would change the log file in the following way.
> from:
> -rw-r--r-- 1 syslog adm 874118 Jul 29 13:50 /var/log/cloud-init.log
> into:
> -rw-r----- 1 root adm 874118 Jul 29 13:50 /var/log/cloud-init.log
It's inconvenient that some distros drop world read from /var/log/messages and /var/log/syslog probably because for so many years I've been doing less or tail /var/log/messages without sudo (or specific group membership). That said, I understand why it's moved from 644 to 640, and I understand why cloud-init is proposing the same.

It's probably a good idea, +1.

Follow ups