From f567f9e1f5d10936e9d0dc0cd3831f44edf0cdc5 Mon Sep 17 00:00:00 2001 From: Dan Bungert Date: Thu, 5 Oct 2023 17:21:07 -0600 Subject: [PATCH 1/5] network: disable log line that logs psk --- subiquity/server/controllers/network.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/subiquity/server/controllers/network.py b/subiquity/server/controllers/network.py index e69db944c..00f90094b 100644 --- a/subiquity/server/controllers/network.py +++ b/subiquity/server/controllers/network.py @@ -310,7 +310,8 @@ def update_has_default_route(self, has_default_route): def _send_update(self, act, dev): with self.context.child("_send_update", "{} {}".format(act.name, dev.name)): - log.debug("dev_info {} {}".format(dev.name, dev.config)) + # disable log - can contain PSK + # log.debug("dev_info {} {}".format(dev.name, dev.config)) dev_info = dev.netdev_info() self._call_clients("update_link", act, dev_info) From 80b144f220fc874263313328ab0e68462beb7b48 Mon Sep 17 00:00:00 2001 From: Dan Bungert Date: Thu, 5 Oct 2023 17:21:29 -0600 Subject: [PATCH 2/5] file_util: just make written files root only --- subiquitycore/file_util.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subiquitycore/file_util.py b/subiquitycore/file_util.py index 25701a9c4..c1e48e504 100644 --- a/subiquitycore/file_util.py +++ b/subiquitycore/file_util.py @@ -23,8 +23,8 @@ import yaml -_DEF_PERMS_FILE = 0o640 -_DEF_GROUP = "adm" +_DEF_PERMS_FILE = 0o600 +_DEF_GROUP = "root" log = logging.getLogger("subiquitycore.file_util") From 1da5cac47797823a5b6384101f67f81fc4543610 Mon Sep 17 00:00:00 2001 From: Dan Bungert Date: Thu, 5 Oct 2023 17:49:23 -0600 Subject: [PATCH 3/5] several: turn off aiohttp access log It will log arguments, so unless we are certain the arguments are clean this will cause trouble. Just turn it off. --- subiquity/common/api/server.py | 2 +- subiquity/server/server.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/subiquity/common/api/server.py b/subiquity/common/api/server.py index 3e70ccf20..dd4b6840b 100644 --- a/subiquity/common/api/server.py +++ b/subiquity/common/api/server.py @@ -221,7 +221,7 @@ def bind(router, endpoint, controller, serializer=None, _depth=None): async def make_server_at_path(socket_path, endpoint, controller, **kw): app = web.Application(**kw) bind(app.router, endpoint, controller) - runner = web.AppRunner(app) + runner = web.AppRunner(app, access_log=None) await runner.setup() site = web.UnixSite(runner, socket_path) await site.start() diff --git a/subiquity/server/server.py b/subiquity/server/server.py index 1cadce595..3d4bd0348 100644 --- a/subiquity/server/server.py +++ b/subiquity/server/server.py @@ -497,7 +497,7 @@ async def start_api_server(self): bind(app.router, API.dry_run, DryRunController(self)) for controller in self.controllers.instances: controller.add_routes(app) - runner = web.AppRunner(app, keepalive_timeout=0xFFFFFFFF) + runner = web.AppRunner(app, keepalive_timeout=0xFFFFFFFF, access_log=None) await runner.setup() await self.start_site(runner) From c9cfdafe0cfaef8946c336df63fa68a2682e8011 Mon Sep 17 00:00:00 2001 From: Dan Bungert Date: Thu, 5 Oct 2023 17:58:24 -0600 Subject: [PATCH 4/5] log: create /var/log/installer root only --- subiquitycore/log.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subiquitycore/log.py b/subiquitycore/log.py index 36a54f978..10a99126a 100644 --- a/subiquitycore/log.py +++ b/subiquitycore/log.py @@ -23,7 +23,7 @@ def setup_logger(dir, base="subiquity"): os.makedirs(dir, exist_ok=True) # Create the log directory in such a way that users in the group may # write to this directory in the installation environment. - set_log_perms(dir, group_write=True) + set_log_perms(dir, mode=0o700) logger = logging.getLogger("") logger.setLevel(logging.DEBUG) From ca8f1ca82696d55bc484c5793a26e20b2b777b71 Mon Sep 17 00:00:00 2001 From: Dan Bungert Date: Thu, 5 Oct 2023 18:26:14 -0600 Subject: [PATCH 5/5] snapcraft: curtin logs change --- snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index d60d9bfcc..699d72ddd 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -70,7 +70,7 @@ parts: source: https://git.launchpad.net/curtin source-type: git - source-commit: 64ea5fbe827aa98ddc63ea87de2de45689180c82 + source-commit: 7c18bf6a24297ed465a341a1f53875b61c878d6b override-pull: | craftctl default