From 29ac50f2b9e7634fc59fc161d77d27e970ae8080 Mon Sep 17 00:00:00 2001
From: Robert Schweikert <rjschwei@suse.com>
Date: Wed, 2 Jun 2021 17:10:32 -0400
Subject: [PATCH] - Create the log file with 640 permissions (#858)

Security scanners are often simple minded and complain on arbitrary
settings such as file permissions. For /var/log/* having world read is
one of these cases.
---
 cloudinit/stages.py            |  2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/cloudinit/stages.py b/cloudinit/stages.py
index bbded1e9..3688be2e 100644
--- a/cloudinit/stages.py
+++ b/cloudinit/stages.py
@@ -156,7 +156,7 @@ class Init(object):
         util.ensure_dirs(self._initial_subdirs())
         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
         if log_file:
-            util.ensure_file(log_file, preserve_mode=True)
+            util.ensure_file(log_file, mode=0o640, preserve_mode=True)
             perms = self.cfg.get('syslog_fix_perms')
             if not perms:
                 perms = {}
-- 
2.27.0