← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1981646] Re: network v2: do not render world-readable netplan when wifi or auth config contains sensitive passwords

 

The cloud-init side of this is is available on Ubuntu 23.04+. Older
releases will not see this functionality as to not break backwards
compatibility.

Change landed in https://github.com/canonical/cloud-init/pull/1891 .

** Changed in: cloud-init
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1981646

Title:
  network v2: do not render world-readable netplan when wifi or auth
  config contains sensitive passwords

Status in cloud-init:
  Fix Released
Status in netplan:
  Triaged

Bug description:
  https://netplan.io/reference/ supports wifi password and auto client-
  key-password keys which should generally not be world-readable.

  
  But, when rendering passthrough V2 network configuration, cloud-init emits a single /etc/netplan/50-cloud-init.yaml file that is world readable.

  If network v2 config contains sensitive password keys it may make
  sense for cloud-init to either:

  1. Make /etc/netplan/50-cloud-init.yaml only root-readable
  - OR -
  2. Write a world-readable /etc/netplan/50-cloud-init.yaml containing all keys except wifis and auth  and a root-readable /etc/netplan/50-cloud-init-sensitive.yaml  which would contain any security sensitive config content.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1981646/+subscriptions



References