Public bug reported: In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to create the log file via util.ensure_file(log_file) the file mode is explicitly set to Oo644. This is poor for the security of the system as the file is world readable and thus fails the CIS benchmarks for the OS.
A suggested remedy is within cloudinit/util.py#L1879 to not call chmod(filename, mode) and rely on the OS value of umask when creating log files. Alternatively the mode for log files could be exposed via the config. ** Affects: cloud-init Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1844983 Title: Create log file should not explicitly set file mode - it should use the OS umask Status in cloud-init: New Bug description: In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to create the log file via util.ensure_file(log_file) the file mode is explicitly set to Oo644. This is poor for the security of the system as the file is world readable and thus fails the CIS benchmarks for the OS. A suggested remedy is within cloudinit/util.py#L1879 to not call chmod(filename, mode) and rely on the OS value of umask when creating log files. Alternatively the mode for log files could be exposed via the config. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1844983/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp