packages/cloud-init
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!212 [sync] PR-209: fix: Logging sensitive data

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-04-17 07:38:23 +00:00 committed by Gitee
commit e5f6b3ed93
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
backport-fix-Logging-sensitive-data.patch Normal file
View File

@ -0,0 +1,56 @@
From 2f9812e805f8e66feaf2689384ea6d669305d9a5 Mon Sep 17 00:00:00 2001
From: Brett Holman <brett.holman@canonical.com>
Date: Wed, 3 Apr 2024 13:51:25 -0600
Subject: [PATCH] fix: Logging sensitive data
Don't log sensitive data.
Since /var/log/cloud-init.log is a priviledged file, this does not expose a
secure system (no CVE). However, we don't want to log this information so that
users can file reports without having to manually redact logs.
Standardize log messages so that redacted and non-redacted logs match.
Reference:https://github.com/canonical/cloud-init/commit/2f9812e8
---
cloudinit/subp.py | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/cloudinit/subp.py b/cloudinit/subp.py
index 85a970f..9347f4f 100644
--- a/cloudinit/subp.py
+++ b/cloudinit/subp.py
@@ -229,21 +229,15 @@ def subp(
if status_cb:
command = " ".join(args) if isinstance(args, list) else args
status_cb("Begin run command: {command}\n".format(command=command))
- if not logstring:
- LOG.debug(
- "Running command %s with allowed return codes %s"
- " (shell=%s, capture=%s)",
- args,
- rcs,
- shell,
- "combine" if combine_capture else capture,
- )
- else:
- LOG.debug(
- "Running hidden command to protect sensitive "
- "input/output logstring: %s",
- logstring,
- )
+
+ LOG.debug(
+ "Running command %s with allowed return codes %s"
+ " (shell=%s, capture=%s)",
+ logstring if logstring else args,
+ rcs,
+ shell,
+ "combine" if combine_capture else capture,
+ )
stdin: Union[TextIOWrapper, int]
stdout = None
--
2.27.0

9
cloud-init.spec
View File

@ -1,6 +1,6 @@
Name: cloud-init Name: cloud-init
Version: 23.4.1 Version: 23.4.1
Release: 2 Release: 3
Summary: the defacto multi-distribution package that handles early initialization of a cloud instance. Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
License: ASL 2.0 or GPLv3 License: ASL 2.0 or GPLv3
URL: http://launchpad.net/cloud-init URL: http://launchpad.net/cloud-init
@ -19,6 +19,7 @@ Patch6001: backport-test-fix-tmpdir-in-test_cc_apk_configure.patch
Patch6002: backport-bug-tests-mock-reads-of-host-s-sys-class-net-via-get.patch Patch6002: backport-bug-tests-mock-reads-of-host-s-sys-class-net-via-get.patch
Patch6003: backport-tests-drop-CiTestCase-and-convert-to-pytest.patch Patch6003: backport-tests-drop-CiTestCase-and-convert-to-pytest.patch
Patch6004: backport-test-fix-disable_sysfs_net-mock.patch Patch6004: backport-test-fix-disable_sysfs_net-mock.patch
Patch6005: backport-fix-Logging-sensitive-data.patch
BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd BuildRequires: pkgconfig(systemd) python3-devel python3-setuptools systemd
BuildRequires: iproute python3-configobj python3-responses BuildRequires: iproute python3-configobj python3-responses
@ -149,6 +150,12 @@ fi
%exclude /usr/share/doc/* %exclude /usr/share/doc/*
%changelog %changelog
* Fri Apr 12 2024 shixuantong <shixuantong1@huawei.com> - 23.4.1-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix: Logging sensitive data
* Wed Apr 03 2024 shixuantong <shixuantong1@huawei.com> - 23.4.1-2 * Wed Apr 03 2024 shixuantong <shixuantong1@huawei.com> - 23.4.1-2
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA