yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89214
[Bug 1978422] Re: cloud-init logs leak hashed passwords
** Changed in: cloud-init
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1978422
Title:
cloud-init logs leak hashed passwords
Status in cloud-init:
Fix Released
Bug description:
The recent update of cloud-init to Version: 22.2-0ubuntu1~20.04.1 on ubuntu 20.04 LTS
has started logging a warning that includes hashed passwords into at least three files readable by all users-
/var/log/cloud-init.log
2022-06-12 21:23:48,866 - util.py[DEBUG]: Read 100004 bytes from /usr/lib/python3/dist-packages/cloudinit/config/schemas/schema-cloud-config-v1.json
2022-06-12 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
2022-06-12 21:23:48,964 - util.py[DEBUG]: Reading from /var/lib/cloud/instance/cloud-config.txt (quiet=False)
/var/log/cloud-init-output.log
2022-06-12 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
/var/log/syslog
Jun 12 15:23:49 b2 cloud-init[800]: 2022-06-12 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
Jun 12 15:23:49 b2 cloud-init[800]: users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
Jun 12 15:23:49 b2 systemd[1]: Finished Initial cloud-init job (metadata service crawler).
It looks like the warning about not being compliant with schemas comes
from both the use of a "lock-passwd" key and by representation of
users groups as an array of strings instead of a single string
containing a comma separated list of groups.
/var/lib/cloud/seed/nocloud-net/user-data is written with "lock-passwd" by original subiquity in 20.04 server release.
That was later changed to "lock_passwd" in this pull merge-
https://github.com/canonical/subiquity/pull/784
But installations done with the original 20.04 release will still have "lock-passwd".
That propagates to several files in /var/lib/cloud/instance/.
The treatment of the "groups" key as an array of strings continues in
subiquity.
Both "lock-passwd" and "groups" conflict with /usr/lib/python3/dist-
packages/cloudinit/config/schemas/schema-cloud-config-v1.json.
That would be more minor issue if the warning put into multiple log
files didn't contain the password hash that is otherwise only readable
by root.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1978422/+subscriptions
