diff options
Diffstat (limited to 'tests/integration_tests/bugs/test_lp2013967.py')
-rw-r--r-- | tests/integration_tests/bugs/test_lp2013967.py | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/tests/integration_tests/bugs/test_lp2013967.py b/tests/integration_tests/bugs/test_lp2013967.py new file mode 100644 index 00000000..68a6ec5f --- /dev/null +++ b/tests/integration_tests/bugs/test_lp2013967.py @@ -0,0 +1,31 @@ +"""Integration test for LP: #2013967. + +Assert cloud-init will explicitly set 640 perms across reboot regardless +prior permissions. This is to avoid repeated security issues where sensitive +data has been leaked by various clouds into a world-readable +/var/log/cloud-init.log. We no longer wish to preserve too permissive +a set of permissions by cloud-init runtime which were established by +default log permissions by python's logging setup. +""" + + +def _get_log_perms(client): + return client.execute("stat -c %a /var/log/cloud-init.log") + + +class TestLogPermissionsNotResetOnReboot: + def test_permissions_unchanged(self, client): + # Confirm that the current permissions aren't 644 + assert "640" == _get_log_perms(client) + + # Set permissions to 644 and confirm our assertion that + # permissions are reset across reboot + client.execute("chmod 644 /var/log/cloud-init.log") + assert "644" == _get_log_perms(client) + + # Reboot + client.restart() + assert client.execute("cloud-init status").ok + + # Check that permissions are reset on reboot + assert "640" == _get_log_perms(client) |