diff --git a/debian/changelog b/debian/changelog
index 8deffa310861..ad1af64db3ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,6 @@
 cloud-init (21.1-19-gbad84ad4-0ubuntu1~20.10.1) UNRELEASED; urgency=medium
+  * d/cloud-init.postinst: Change output log permissions on upgrade
+    (LP: #1918303)
   * d/cloud-init.manpages: include upstream manpages in package (LP: #1908548)
   * drop the following cherry-picks now included:
     + cpick-4f62ae8d-Fix-regression-with-handling-of-IMDS-ssh-keys-760
diff --git a/debian/cloud-init.postinst b/debian/cloud-init.postinst
index bb1535e81782..683ba86de6cc 100644
--- a/debian/cloud-init.postinst
+++ b/debian/cloud-init.postinst
@@ -327,6 +327,22 @@ fix_lp1889555() {
     db_set grub-pc/install_devices_empty "false"
 }
 
+change_cloud_init_output_log_permissions() {
+    # As a consequence of LP: #1918303
+    local oldver="$1" last_bad_ver="21.1-0ubuntu1"
+    dpkg --compare-versions "$oldver" le-nl "$last_bad_ver" || return 0
+
+    output_file="/var/log/cloud-init-output.log"
+    if [ -f "$output_file" ]; then
+        if getent group adm > /dev/null; then
+            chown root:adm $output_file
+        else
+            chown root $output_file
+        fi
+        chmod 640 $output_file
+    fi
+}
+
 
 if [ "$1" = "configure" ]; then
    if db_get cloud-init/datasources; then
@@ -358,6 +374,7 @@ EOF
 
    cleanup_ureadahead "$2"
    fix_lp1889555 "$2"
+   change_cloud_init_output_log_permissions "$2"
 fi
 
 #DEBHELPER#