fix:Don't loosen the permissions of the log file

(cherry picked from commit a322b85e5c42eef67cbf216e22878f0923612aea)
2023-12-14 14:29:04 +08:00 · 2023-12-14 14:29:04 +08:00 · 063a9ea5f3
commit 063a9ea5f3
parent 90948544f0
3 changed files with 171 additions and 1 deletions
--- a/backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
+++ b/backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
@ -0,0 +1,76 @@
+From 00dbaf1e9ab0e59d81662f0f3561897bef499a3f Mon Sep 17 00:00:00 2001
+From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date: Mon, 9 Aug 2021 16:49:56 +0200
+Subject: [PATCH] add get_permissions/get_owner/get_group/get_user_groups
+
+---
+ cloudinit/util.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index 88d6d53..2379177 100644
+--- a/cloudinit/util.py
+++ b/cloudinit/util.py
+@@ -36,6 +36,7 @@ from errno import ENOENT, ENOEXEC
+ 
+ from base64 import b64decode, b64encode
+ from six.moves.urllib import parse as urlparse
+from typing import List
+ 
+ import six
+ 
+@@ -1887,6 +1888,51 @@ def chmod(path, mode):
+         with SeLinuxGuard(path):
+             os.chmod(path, real_mode)
+ 
+def get_permissions(path: str) -> int:
+    """
+    Returns the octal permissions of the file/folder pointed by the path,
+    encoded as an int.
+
+    @param path: The full path of the file/folder.
+    """
+
+    return stat.S_IMODE(os.stat(path).st_mode)
+
+
+def get_owner(path: str) -> str:
+    """
+    Returns the owner of the file/folder pointed by the path.
+
+    @param path: The full path of the file/folder.
+    """
+    st = os.stat(path)
+    return pwd.getpwuid(st.st_uid).pw_name
+
+
+def get_group(path: str) -> str:
+    """
+    Returns the group of the file/folder pointed by the path.
+
+    @param path: The full path of the file/folder.
+    """
+    st = os.stat(path)
+    return grp.getgrgid(st.st_gid).gr_name
+
+
+def get_user_groups(username: str) -> List[str]:
+    """
+    Returns a list of all groups to which the user belongs
+
+    @param username: the user we want to check
+    """
+    groups = []
+    for group in grp.getgrall():
+        if username in group.gr_mem:
+            groups.append(group.gr_name)
+
+    gid = pwd.getpwnam(username).pw_gid
+    groups.append(grp.getgrgid(gid).gr_name)
+    return groups
+ 
+ def write_file(filename, content, mode=0o644, omode="wb", copy_mode=False):
+     """
+-- 
+2.27.0
+
--- a/backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
+++ b/backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
@ -0,0 +1,89 @@
+From 2fb656fd991d788ed54e098815d93458e46f069e Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Fri, 24 Nov 2023 15:54:09 +0000
+Subject: [PATCH] fix: Don't loosen the permissions of the log file (#4628)
+
+Reference:https://github.com/canonical/cloud-init/commit/2fb656fd991d788ed54e098815d93458e46f069e
+
+Previous implementations loosened permissions in non-default scenarios.
+
+Fixes GH-4243
+---
+ cloudinit/stages.py            | 15 ++++++++++++++-
+ cloudinit/tests/test_stages.py | 16 ++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/stages.py b/cloudinit/stages.py
+index 633f57a..5e7733a 100644
+--- a/cloudinit/stages.py
+++ b/cloudinit/stages.py
+@@ -15,6 +15,7 @@ from cloudinit.settings import (
+     FREQUENCIES, CLOUD_CONFIG, PER_INSTANCE, RUN_CLOUD_CONFIG)
+ 
+ from cloudinit import handlers
+from contextlib import suppress
+ 
+ # Default handlers (used if not overridden)
+ from cloudinit.handlers.boot_hook import BootHookPartHandler
+@@ -146,13 +147,25 @@ class Init(object):
+     def initialize(self):
+         self._initialize_filesystem()
+ 
+    @staticmethod
+    def _get_strictest_mode(mode_1: int, mode_2: int) -> int:
+        return mode_1 & mode_2
+
+     def _initialize_filesystem(self):
+        mode = 0o640
+
+         util.ensure_dirs(self._initial_subdirs())
+         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+         if log_file:
+             # At this point the log file should have already been created
+             # in the setupLogging function of log.py
+-            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
+            with suppress(OSError):
+                mode = self._get_strictest_mode(
+                    0o640, util.get_permissions(log_file)
+                )
+
+            # set file mode to the strictest of 0o640 and the current mode
+            util.ensure_file(log_file, mode, preserve_mode=False)
+             perms = self.cfg.get('syslog_fix_perms')
+             if not perms:
+                 perms = {}
+diff --git a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py
+index d5c9c0e..42facb7 100644
+--- a/cloudinit/tests/test_stages.py
+++ b/cloudinit/tests/test_stages.py
+@@ -3,6 +3,7 @@
+ """Tests related to cloudinit.stages module."""
+ 
+ import os
+import pytest
+ 
+ from cloudinit import stages
+ from cloudinit import sources
+@@ -341,4 +342,19 @@ class TestInit(CiTestCase):
+         self.init.distro.apply_network_config.assert_called_with(
+             net_cfg, bring_up=True)
+ 
+@pytest.mark.parametrize(
+    "mode_1, mode_2, expected",
+    [
+        (0o777, 0o640, 0o640),
+        (0o640, 0o777, 0o640),
+        (0o640, 0o541, 0o440),
+        (0o111, 0o050, 0o010),
+        (0o631, 0o640, 0o600),
+        (0o661, 0o640, 0o640),
+        (0o453, 0o611, 0o411),
+    ],
+)
+def test_strictest_permissions(mode_1, mode_2, expected):
+    assert expected == stages.Init._get_strictest_mode(mode_1, mode_2)
+
+ # vi: ts=4 expandtab
+-- 
+2.27.0
+
--- a/cloud-init.spec
+++ b/cloud-init.spec
@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 19.4
-Release: 13
+Release: 14
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@ -23,6 +23,8 @@ Patch12: remove-schema-errors-from-log-for-cloudinit-config-cc_.patch
 Patch13: backport-stages-don-t-reset-permissions-of-cloud-init.log-eve.patch
 Patch14: backport-Create-the-log-file-with-640-permissions-858.patch
 Patch15: backport-CVE-2023-1786-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
+Patch16: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
+Patch17: backport-add-get_permissions-get_owner-get_group-get_user_gro.patch

 Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch

@ -131,6 +133,9 @@ fi
 %exclude /usr/share/doc/*

 %changelog
+* Thu Dec 14 2023 shixuantong <shixuantong1@huawei.com> - 19.4-14
+- fix: Don't loosen the permissions of the log file
+
 * Wed May 24 2023 fuanan <fuanan3@h-partners.com> - 19.4-13
 - fix CVE-2023-1786