yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1844983] [NEW] Create log file should not explicitly set file mode - it should use the OS umask

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: ChrisA <1844983@xxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Sep 2019 09:12:02 -0000
Reply-to: Bug 1844983 <1844983@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to
create the log file via util.ensure_file(log_file) the file mode is
explicitly set to Oo644.  This is poor for the security of the system as
the file is world readable and thus fails the CIS benchmarks for the OS.

A suggested remedy is within cloudinit/util.py#L1879 to not call
chmod(filename, mode) and rely on the OS value of umask when creating
log files.

Alternatively the mode for log files could be exposed via the config.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1844983

Title:
  Create log file should not explicitly set file mode - it should use
  the OS umask

Status in cloud-init:
  New

Bug description:
  In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to
  create the log file via util.ensure_file(log_file) the file mode is
  explicitly set to Oo644.  This is poor for the security of the system
  as the file is world readable and thus fails the CIS benchmarks for
  the OS.

  A suggested remedy is within cloudinit/util.py#L1879 to not call
  chmod(filename, mode) and rely on the OS value of umask when creating
  log files.

  Alternatively the mode for log files could be exposed via the config.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1844983/+subscriptions