diff options
author | James Falcon <james.falcon@canonical.com> | 2023-04-26 15:11:55 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-26 15:11:55 -0500 |
commit | a378b7e4f47375458651c0972e7cd813f6fe0a6b (patch) | |
tree | bb1d6197c013773f723503f07b0a0daa7c67a8de /cloudinit/sources/DataSourceLXD.py | |
parent | c1b4722036a1ad3f683b7942db4d07639f88dcd2 (diff) | |
download | cloud-init-git-a378b7e4f47375458651c0972e7cd813f6fe0a6b.tar.gz |
Make user/vendor data sensitive and remove log permissions (#2144)
Because user data and vendor data may contain sensitive information,
this commit ensures that any user data or vendor data written to
instance-data.json gets redacted and is only available to root user.
Also, modify the permissions of cloud-init.log to be 640, so that
sensitive data leaked to the log isn't world readable.
Additionally, remove the logging of user data and vendor data to
cloud-init.log from the Vultr datasource.
LP: #2013967
CVE: CVE-2023-1786
Diffstat (limited to 'cloudinit/sources/DataSourceLXD.py')
-rw-r--r-- | cloudinit/sources/DataSourceLXD.py | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/cloudinit/sources/DataSourceLXD.py b/cloudinit/sources/DataSourceLXD.py index 2643149b..6a41fbcc 100644 --- a/cloudinit/sources/DataSourceLXD.py +++ b/cloudinit/sources/DataSourceLXD.py @@ -14,7 +14,7 @@ import stat import time from enum import Flag, auto from json.decoder import JSONDecodeError -from typing import Any, Dict, List, Optional, Union, cast +from typing import Any, Dict, List, Optional, Tuple, Union, cast import requests from requests.adapters import HTTPAdapter @@ -168,11 +168,14 @@ class DataSourceLXD(sources.DataSource): _network_config: Union[Dict, str] = sources.UNSET _crawled_metadata: Union[Dict, str] = sources.UNSET - sensitive_metadata_keys = ( - "merged_cfg", + sensitive_metadata_keys: Tuple[ + str, ... + ] = sources.DataSource.sensitive_metadata_keys + ( "user.meta-data", "user.vendor-data", "user.user-data", + "cloud-init.user-data", + "cloud-init.vendor-data", ) skip_hotplug_detect = True |