Public bug reported:
In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to
create the log file via util.ensure_file(log_file) the file mode is
explicitly set to Oo644. This is poor for the security of the system as
the file is world readable and thus fails the CIS benchmarks for the OS.
A suggested remedy is within cloudinit/util.py#L1879 to not call
chmod(filename, mode) and rely on the OS value of umask when creating
log files.
Alternatively the mode for log files could be exposed via the config.
** Affects: cloud-init
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1844983
Title:
Create log file should not explicitly set file mode - it should use
the OS umask
Status in cloud-init:
New
Bug description:
In the _initialize_filesystem call (cloudinit/stages.py#L149-L153) to
create the log file via util.ensure_file(log_file) the file mode is
explicitly set to Oo644. This is poor for the security of the system
as the file is world readable and thus fails the CIS benchmarks for
the OS.
A suggested remedy is within cloudinit/util.py#L1879 to not call
chmod(filename, mode) and rely on the OS value of umask when creating
log files.
Alternatively the mode for log files could be exposed via the config.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1844983/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
