44 lines
1.6 KiB
Diff
44 lines
1.6 KiB
Diff
From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
|
|
From: Brett Holman <brett.holman@canonical.com>
|
|
Date: Wed, 3 Apr 2024 13:51:25 -0600
|
|
Subject: [PATCH] fix: Logging sensitive data
|
|
|
|
Don't log sensitive data.
|
|
|
|
Since /var/log/cloud-init.log is a priviledged file, this does not expose a
|
|
secure system (no CVE). However, we don't want to log this information so that
|
|
users can file reports without having to manually redact logs.
|
|
|
|
Standardize log messages so that redacted and non-redacted logs match.
|
|
|
|
Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
|
|
---
|
|
cloudinit/subp.py | 11 ++++-------
|
|
1 file changed, 4 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/cloudinit/subp.py b/cloudinit/subp.py
|
|
index 267142e..749dc9c 100644
|
|
--- a/cloudinit/subp.py
|
|
+++ b/cloudinit/subp.py
|
|
@@ -217,13 +217,10 @@ def subp(args, data=None, rcs=None, env=None, capture=True,
|
|
if status_cb:
|
|
command = ' '.join(args) if isinstance(args, list) else args
|
|
status_cb('Begin run command: {command}\n'.format(command=command))
|
|
- if not logstring:
|
|
- LOG.debug(("Running command %s with allowed return codes %s"
|
|
- " (shell=%s, capture=%s)"),
|
|
- args, rcs, shell, 'combine' if combine_capture else capture)
|
|
- else:
|
|
- LOG.debug(("Running hidden command to protect sensitive "
|
|
- "input/output logstring: %s"), logstring)
|
|
+
|
|
+ LOG.debug(("Running command %s with allowed return codes %s"
|
|
+ " (shell=%s, capture=%s)"),
|
|
+ logstring if logstring else args, rcs, shell, 'combine' if combine_capture else capture)
|
|
|
|
stdin = None
|
|
stdout = None
|
|
--
|
|
2.27.0
|
|
|