diff options
author | Chad Smith <chad.smith@canonical.com> | 2023-04-26 14:43:06 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-26 14:43:06 -0600 |
commit | be3441b217949f608cf1cba677e3484ba49f7e7b (patch) | |
tree | f32a13f79562ffbde9e53f62d7a1f2788e6c74f6 | |
parent | a378b7e4f47375458651c0972e7cd813f6fe0a6b (diff) | |
download | cloud-init-git-be3441b217949f608cf1cba677e3484ba49f7e7b.tar.gz |
tests: update integration test to assert 640 across reboots (#2145)
-rw-r--r-- | tests/integration_tests/bugs/test_lp1900837.py | 27 | ||||
-rw-r--r-- | tests/integration_tests/bugs/test_lp2013967.py | 31 |
2 files changed, 31 insertions, 27 deletions
diff --git a/tests/integration_tests/bugs/test_lp1900837.py b/tests/integration_tests/bugs/test_lp1900837.py deleted file mode 100644 index d9ef18aa..00000000 --- a/tests/integration_tests/bugs/test_lp1900837.py +++ /dev/null @@ -1,27 +0,0 @@ -"""Integration test for LP: #1900836. - -This test mirrors the reproducing steps from the reported bug: it changes the -permissions on cloud-init.log to 600 and confirms that they remain 600 after a -reboot. -""" - - -def _get_log_perms(client): - return client.execute("stat -c %a /var/log/cloud-init.log") - - -class TestLogPermissionsNotResetOnReboot: - def test_permissions_unchanged(self, client): - # Confirm that the current permissions aren't 600 - assert "644" == _get_log_perms(client) - - # Set permissions to 600 and confirm our assertion passes pre-reboot - client.execute("chmod 600 /var/log/cloud-init.log") - assert "600" == _get_log_perms(client) - - # Reboot - client.restart() - assert client.execute("cloud-init status").ok - - # Check that permissions are not reset on reboot - assert "600" == _get_log_perms(client) diff --git a/tests/integration_tests/bugs/test_lp2013967.py b/tests/integration_tests/bugs/test_lp2013967.py new file mode 100644 index 00000000..68a6ec5f --- /dev/null +++ b/tests/integration_tests/bugs/test_lp2013967.py @@ -0,0 +1,31 @@ +"""Integration test for LP: #2013967. + +Assert cloud-init will explicitly set 640 perms across reboot regardless +prior permissions. This is to avoid repeated security issues where sensitive +data has been leaked by various clouds into a world-readable +/var/log/cloud-init.log. We no longer wish to preserve too permissive +a set of permissions by cloud-init runtime which were established by +default log permissions by python's logging setup. +""" + + +def _get_log_perms(client): + return client.execute("stat -c %a /var/log/cloud-init.log") + + +class TestLogPermissionsNotResetOnReboot: + def test_permissions_unchanged(self, client): + # Confirm that the current permissions aren't 644 + assert "640" == _get_log_perms(client) + + # Set permissions to 644 and confirm our assertion that + # permissions are reset across reboot + client.execute("chmod 644 /var/log/cloud-init.log") + assert "644" == _get_log_perms(client) + + # Reboot + client.restart() + assert client.execute("cloud-init status").ok + + # Check that permissions are reset on reboot + assert "640" == _get_log_perms(client) |