packages/cloud-init
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: Logging sensitive data

Browse Source 
(cherry picked from commit 902429020b23b82022df847581b11464de81e8e4)
This commit is contained in:
shixuantong 2024-04-12 15:48:02 +08:00 committed by openeuler-sync-bot
parent c95206a041
commit afbe2cb760
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
backport-fix-Logging-sensitive-data.patch Normal file
View File

@ -0,0 +1,56 @@
From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
From: Brett Holman <brett.holman@canonical.com>
Date: Wed, 3 Apr 2024 13:51:25 -0600
Subject: [PATCH] fix: Logging sensitive data
Don't log sensitive data.
Since /var/log/cloud-init.log is a priviledged file, this does not expose a
secure system (no CVE). However, we don't want to log this information so that
users can file reports without having to manually redact logs.
Standardize log messages so that redacted and non-redacted logs match.
Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
---
cloudinit/subp.py | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/cloudinit/subp.py b/cloudinit/subp.py
index 85a970f..9347f4f 100644
--- a/cloudinit/subp.py
+++ b/cloudinit/subp.py
@@ -229,21 +229,15 @@ def subp(
if status_cb:
command = " ".join(args) if isinstance(args, list) else args
status_cb("Begin run command: {command}\n".format(command=command))
- if not logstring:
- LOG.debug(
- "Running command %s with allowed return codes %s"
- " (shell=%s, capture=%s)",
- args,
- rcs,
- shell,
- "combine" if combine_capture else capture,
- )
- else:
- LOG.debug(
- "Running hidden command to protect sensitive "
- "input/output logstring: %s",
- logstring,
- )
+
+ LOG.debug(
+ "Running command %s with allowed return codes %s"
+ " (shell=%s, capture=%s)",
+ logstring if logstring else args,
+ rcs,
+ shell,
+ "combine" if combine_capture else capture,
+ )
stdin: Union[TextIOWrapper, int]
stdout = None
--
2.27.0

9
cloud-init.spec
View File

@ -1,6 +1,6 @@
Name: cloud-init
Version: 23.4.1
Release: 2
Release: 3
Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
License: ASL 2.0 or GPLv3
URL: http://launchpad.net/cloud-init
@ -19,6 +19,7 @@ Patch6001: backport-test-fix-tmpdir-in-test_cc_apk_configure.patch
Patch6002: backport-bug-tests-mock-reads-of-host-s-sys-class-net-via-get.patch
Patch6003: backport-tests-drop-CiTestCase-and-convert-to-pytest.patch
Patch6004: backport-test-fix-disable_sysfs_net-mock.patch
Patch6005: backport-fix-Logging-sensitive-data.patch
BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
BuildRequires: iproute python3-configobj python3-responses
@ -149,6 +150,12 @@ fi
%exclude /usr/share/doc/*
%changelog
* Fri Apr 12 2024 shixuantong <shixuantong1@huawei.com> - 23.4.1-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix: Logging sensitive data
* Wed Apr 03 2024 shixuantong <shixuantong1@huawei.com> - 23.4.1-2
- Type:bugfix
- CVE:NA