diff options
| author | Scott Moser <smoser@ubuntu.com> | 2013-07-17 13:36:32 -0400 |
|---|---|---|
| committer | Scott Moser <smoser@ubuntu.com> | 2013-07-17 13:36:32 -0400 |
| commit | 8f70bb7e7144f2225b4e9a589d16ae6d15992a3d (patch) | |
| tree | 595e918a8dfa5f848cf9916d9e472cd60cacc644 | |
| parent | 7b9b49efe6866103730b8b202c8ddf2189644ea5 (diff) | |
| download | vyos-cloud-init-8f70bb7e7144f2225b4e9a589d16ae6d15992a3d.tar.gz vyos-cloud-init-8f70bb7e7144f2225b4e9a589d16ae6d15992a3d.zip | |
Azure: make /var/lib/waagent with 0700 perms
The walinux agent expects that the files it writes with 0644 (default umask)
permissions are not globally readable. Since we were creating the directory
for it, and using default umaks (0755), the files inside were readable to
non-priviledged users.
| -rw-r--r-- | cloudinit/sources/DataSourceAzure.py | 7 | ||||
| -rw-r--r-- | tests/unittests/test_datasource/test_azure.py | 4 |
2 files changed, 8 insertions, 3 deletions
diff --git a/cloudinit/sources/DataSourceAzure.py b/cloudinit/sources/DataSourceAzure.py index f1419296..c90d7b07 100644 --- a/cloudinit/sources/DataSourceAzure.py +++ b/cloudinit/sources/DataSourceAzure.py @@ -104,7 +104,9 @@ class DataSourceAzureNet(sources.DataSource): if value is not None: mycfg[name] = value - write_files(mycfg['datadir'], files) + # walinux agent writes files world readable, but expects + # the directory to be protected. + write_files(mycfg['datadir'], files, dirmode=0700) try: invoke_agent(mycfg['cmd']) @@ -171,11 +173,12 @@ def wait_for_files(flist, maxwait=60, naplen=.5): return need -def write_files(datadir, files): +def write_files(datadir, files, dirmode=None): if not datadir: return if not files: files = {} + util.ensure_dir(datadir, dirmode) for (name, content) in files.items(): util.write_file(filename=os.path.join(datadir, name), content=content, mode=0600) diff --git a/tests/unittests/test_datasource/test_azure.py b/tests/unittests/test_datasource/test_azure.py index 74ed7197..c79c25d8 100644 --- a/tests/unittests/test_datasource/test_azure.py +++ b/tests/unittests/test_datasource/test_azure.py @@ -84,9 +84,10 @@ class TestAzureDataSource(MockerTestCase): def _invoke_agent(cmd): data['agent_invoked'] = cmd - def _write_files(datadir, files): + def _write_files(datadir, files, dirmode): data['files'] = {} data['datadir'] = datadir + data['datadir_mode'] = dirmode for (fname, content) in files.items(): data['files'][fname] = content @@ -129,6 +130,7 @@ class TestAzureDataSource(MockerTestCase): self.assertEqual(dsrc.userdata_raw, "") self.assertEqual(dsrc.metadata['local-hostname'], odata['HostName']) self.assertTrue('ovf-env.xml' in data['files']) + self.assertEqual(0700, data['datadir_mode']) def test_user_cfg_set_agent_command(self): cfg = {'agent_command': "my_command"} |