Skip to content

write passwords only to serial console, lock down cloud-init-output.log (#847)

Eduardo Otubo requested to merge otubo/cloud-init-src:1945892 into c9s

BZ: 1945892
BREW: 37893063
TESTED: By me

commit b794d426b9ab43ea9d6371477466070d86e10668
Author: Daniel Watkins <oddbloke@ubuntu.com>
Date:   Fri Mar 19 10:06:42 2021 -0400

    write passwords only to serial console, lock down cloud-init-output.log (#847)

    Prior to this commit, when a user specified configuration which would
    generate random passwords for users, cloud-init would cause those
    passwords to be written to the serial console by emitting them on
    stderr.  In the default configuration, any stdout or stderr emitted by
    cloud-init is also written to `/var/log/cloud-init-output.log`.  This
    file is world-readable, meaning that those randomly-generated passwords
    were available to be read by any user with access to the system.  This
    presents an obvious security issue.

    This commit responds to this issue in two ways:

    * We address the direct issue by moving from writing the passwords to
      sys.stderr to writing them directly to /dev/console (via
      util.multi_log); this means that the passwords will never end up in
      cloud-init-output.log
    * To avoid future issues like this, we also modify the logging code so
      that any files created in a log sink subprocess will only be
      owner/group readable and, if it exists, will be owned by the adm
      group.  This results in `/var/log/cloud-init-output.log` no longer
      being world-readable, meaning that if there are other parts of the
      codebase that are emitting sensitive data intended for the serial
      console, that data is no longer available to all users of the system.

    LP: #1918303

Signed-off-by: Eduardo Otubo <otubo@redhat.com>

Merge request reports