packages/cloud-init
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!210 fix: Logging sensitive data

Browse Source 
From: @tong_1001 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-04-15 02:47:46 +00:00 committed by Gitee
commit 60867e5b89
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-fix-Logging-sensitive-data.patch Normal file
View File

@ -0,0 +1,43 @@
From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
From: Brett Holman <brett.holman@canonical.com>
Date: Wed, 3 Apr 2024 13:51:25 -0600
Subject: [PATCH] fix: Logging sensitive data
Don't log sensitive data.
Since /var/log/cloud-init.log is a priviledged file, this does not expose a
secure system (no CVE). However, we don't want to log this information so that
users can file reports without having to manually redact logs.
Standardize log messages so that redacted and non-redacted logs match.
Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
---
cloudinit/subp.py | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/cloudinit/subp.py b/cloudinit/subp.py
index 267142e..749dc9c 100644
--- a/cloudinit/subp.py
+++ b/cloudinit/subp.py
@@ -217,13 +217,10 @@ def subp(args, data=None, rcs=None, env=None, capture=True,
if status_cb:
command = ' '.join(args) if isinstance(args, list) else args
status_cb('Begin run command: {command}\n'.format(command=command))
- if not logstring:
- LOG.debug(("Running command %s with allowed return codes %s"
- " (shell=%s, capture=%s)"),
- args, rcs, shell, 'combine' if combine_capture else capture)
- else:
- LOG.debug(("Running hidden command to protect sensitive "
- "input/output logstring: %s"), logstring)
+
+ LOG.debug(("Running command %s with allowed return codes %s"
+ " (shell=%s, capture=%s)"),
+ logstring if logstring else args, rcs, shell, 'combine' if combine_capture else capture)
stdin = None
stdout = None
--
2.27.0

9
cloud-init.spec
View File

@ -1,6 +1,6 @@
Name: cloud-init
Version: 21.4
Release: 25
Release: 26
Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
License: ASL 2.0 or GPLv3
URL: http://launchpad.net/cloud-init
@ -74,6 +74,7 @@ Patch6039: backport-Return-a-namedtuple-from-subp-1376.patch
Patch6040: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
Patch6041: backport-fix-growpart-race-4618.patch
Patch6042: backport-handle-error-when-log-file-is-empty-4859.patch
Patch6043: backport-fix-Logging-sensitive-data.patch
BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
BuildRequires: iproute python3-configobj python3-httpretty >= 0.8.14-2
@ -184,6 +185,12 @@ fi
%exclude /usr/share/doc/*
%changelog
* Fri Apr 12 2024 shixuantong <shixuantong1@huawei.com> - 21.4-26
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix: Logging sensitive data
* Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 21.4-25
- Type:bugfix
- CVE:NA