Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

write passwords only to serial console, lock down cloud-init-output.log #847

Merged
merged 1 commit into from
Mar 19, 2021
Merged

write passwords only to serial console, lock down cloud-init-output.log #847

merged 1 commit into from
Mar 19, 2021

Conversation

OddBloke
Copy link
Collaborator

Proposed Commit Message

write passwords only to serial console, lock down cloud-init-output.log

Prior to this commit, when a user specified configuration which would
generate random passwords for users, cloud-init would cause those
passwords to be written to the serial console by emitting them on
stderr.  In the default configuration, any stdout or stderr emitted by
cloud-init is also written to `/var/log/cloud-init-output.log`.  This
file is world-readable, meaning that those randomly-generated passwords
were available to be read by any user with access to the system.  This
presents an obvious security issue.

This commit responds to this issue in two ways:

* We address the direct issue by moving from writing the passwords to
  sys.stderr to writing them directly to /dev/console (via
  util.multi_log); this means that the passwords will never end up in
  cloud-init-output.log
* To avoid future issues like this, we also modify the logging code so
  that any files created in a log sink subprocess will only be
  owner/group readable and, if it exists, will be owned by the adm
  group.  This results in `/var/log/cloud-init-output.log` no longer
  being world-readable, meaning that if there are other parts of the
  codebase that are emitting sensitive data intended for the serial
  console, that data is no longer available to all users of the system.

LP: #1918303

Test Steps

See the included integration tests.

Checklist:

  • My code follows the process laid out in the documentation
  • I have updated or added any unit tests accordingly
  • I have updated or added any documentation accordingly

@OddBloke
write passwords only to serial console, lock down cloud-init-output.log
67c8f77 
Prior to this commit, when a user specified configuration which would
generate random passwords for users, cloud-init would cause those
passwords to be written to the serial console by emitting them on
stderr.  In the default configuration, any stdout or stderr emitted by
cloud-init is also written to `/var/log/cloud-init-output.log`.  This
file is world-readable, meaning that those randomly-generated passwords
were available to be read by any user with access to the system.  This
presents an obvious security issue.

This commit responds to this issue in two ways:

* We address the direct issue by moving from writing the passwords to
  sys.stderr to writing them directly to /dev/console (via
  util.multi_log); this means that the passwords will never end up in
  cloud-init-output.log
* To avoid future issues like this, we also modify the logging code so
  that any files created in a log sink subprocess will only be
  owner/group readable and, if it exists, will be owned by the adm
  group.  This results in `/var/log/cloud-init-output.log` no longer
  being world-readable, meaning that if there are other parts of the
  codebase that are emitting sensitive data intended for the serial
  console, that data is no longer available to all users of the system.

LP: #1918303
@OddBloke OddBloke merged commit b794d42 into canonical:master Mar 19, 2021
@OddBloke OddBloke deleted the lp1918303 branch March 19, 2021 14:06
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 19, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
d50c74a 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 19, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
9ccaa69 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 19, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
81bf819 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 19, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
a85d181 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
bf2ea5e 
In b794d42 (#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
1abe3b1 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
32643f1 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
d9c878f 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
399ffcc 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
7e13b71 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
c9ed94e 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 22, 2021
@TheRealFalcon
debian/cloud-init.postinst: Change output log permissions on upgrade
ff46e74 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
@TheRealFalcon TheRealFalcon mentioned this pull request Jun 17, 2022
Merged
This was referenced May 12, 2023
Closed
Closed
holmanb pushed a commit to holmanb/cloud-init that referenced this pull request Feb 7, 2024
@TheRealFalcon @holmanb
debian/cloud-init.postinst: Change output log permissions on upgrade
21ade43 
In b794d42 (canonical#847), we changed log permissions on
/var/log/cloud-init.log to be owned by root:adm and have 740 permissions
by default. This commit performs that same change on upgrade.

LP: #1918303
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheRealFalcon TheRealFalcon TheRealFalcon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OddBloke @TheRealFalcon