diff options
| author | Robert Schweikert <rjschwei@suse.com> | 2021-06-02 17:10:32 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-02 15:10:32 -0600 |
| commit | 29ac50f2b9e7634fc59fc161d77d27e970ae8080 (patch) | |
| tree | 8d5280c71dba2ad8f667e9776441aaac39bb4012 | |
| parent | 503e2d398660e8af5d49bdf6944a50ad793a3a31 (diff) | |
| download | vyos-cloud-init-29ac50f2b9e7634fc59fc161d77d27e970ae8080.tar.gz vyos-cloud-init-29ac50f2b9e7634fc59fc161d77d27e970ae8080.zip | |
- Create the log file with 640 permissions (#858)
Security scanners are often simple minded and complain on arbitrary
settings such as file permissions. For /var/log/* having world read is
one of these cases.
| -rw-r--r-- | cloudinit/stages.py | 2 | ||||
| -rw-r--r-- | cloudinit/tests/test_stages.py | 24 |
2 files changed, 13 insertions, 13 deletions
diff --git a/cloudinit/stages.py b/cloudinit/stages.py index bbded1e9..3688be2e 100644 --- a/cloudinit/stages.py +++ b/cloudinit/stages.py @@ -156,7 +156,7 @@ class Init(object): util.ensure_dirs(self._initial_subdirs()) log_file = util.get_cfg_option_str(self.cfg, 'def_log_file') if log_file: - util.ensure_file(log_file, preserve_mode=True) + util.ensure_file(log_file, mode=0o640, preserve_mode=True) perms = self.cfg.get('syslog_fix_perms') if not perms: perms = {} diff --git a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py index a06a2bde..a50836a4 100644 --- a/cloudinit/tests/test_stages.py +++ b/cloudinit/tests/test_stages.py @@ -428,22 +428,20 @@ class TestInit_InitializeFilesystem: """A fixture which yields a stages.Init instance with paths and cfg set As it is replaced with a mock, consumers of this fixture can set - `init.cfg` if the default empty dict configuration is not appropriate. + `init._cfg` if the default empty dict configuration is not appropriate. """ - with mock.patch( - "cloudinit.stages.Init.cfg", mock.PropertyMock(return_value={}) - ): - with mock.patch("cloudinit.stages.util.ensure_dirs"): - init = stages.Init() - init._paths = paths - yield init + with mock.patch("cloudinit.stages.util.ensure_dirs"): + init = stages.Init() + init._cfg = {} + init._paths = paths + yield init @mock.patch("cloudinit.stages.util.ensure_file") def test_ensure_file_not_called_if_no_log_file_configured( self, m_ensure_file, init ): """If no log file is configured, we should not ensure its existence.""" - init.cfg = {} + init._cfg = {} init._initialize_filesystem() @@ -452,11 +450,13 @@ class TestInit_InitializeFilesystem: def test_log_files_existence_is_ensured_if_configured(self, init, tmpdir): """If a log file is configured, we should ensure its existence.""" log_file = tmpdir.join("cloud-init.log") - init.cfg = {"def_log_file": str(log_file)} + init._cfg = {"def_log_file": str(log_file)} init._initialize_filesystem() - assert log_file.exists + assert log_file.exists() + # Assert we create it 0o640 by default if it doesn't already exist + assert 0o640 == stat.S_IMODE(log_file.stat().mode) def test_existing_file_permissions_are_not_modified(self, init, tmpdir): """If the log file already exists, we should not modify its permissions @@ -469,7 +469,7 @@ class TestInit_InitializeFilesystem: log_file = tmpdir.join("cloud-init.log") log_file.ensure() log_file.chmod(mode) - init.cfg = {"def_log_file": str(log_file)} + init._cfg = {"def_log_file": str(log_file)} init._initialize_filesystem() |