Skip to content

{Security} Set log file permissions to 600 on creation#33296

Draft
huiii99 wants to merge 8 commits intoAzure:devfrom
huiii99:fix/set-log-permission-600
Draft

{Security} Set log file permissions to 600 on creation#33296
huiii99 wants to merge 8 commits intoAzure:devfrom
huiii99:fix/set-log-permission-600

Conversation

@huiii99
Copy link
Copy Markdown
Member

@huiii99 huiii99 commented Apr 30, 2026

Related command

Description
Fixes https://github.com/Azure/CLIPS/issues/21

Azure CLI debug log files may contain credentials and secrets. Currently, log files are created with default permissions (0o644 on Linux), which allows other users on the same system to read sensitive data.

This PR introduces custom secure file handlers (SecureFileHandler and SecureRotatingFileHandler) that override _open() to atomically create log files with 0o600 (owner read/write only) permissions using os.open().

Testing Guide

Automated Tests

python -m unittest azure.cli.core.tests.test_azlogging -v

Manual Testing (WSL / Linux)

# 1. Open WSL and navigate to the repo
wsl
cd /mnt/c/Users/v-jileong/work/azure-cli

# 2. Set up a virtual environment and install
python3 -m venv .venv
source .venv/bin/activate
pip install -e src/azure-cli-core
pip install -e src/azure-cli

# 3. Run the automated tests (all 5 should pass, none skipped on Linux)
python -m unittest azure.cli.core.tests.test_azlogging -v

# 4. Enable file logging and run any command
az config set logging.enable_log_file=true
az account show 2>/dev/null || true

# 5. Check rotating log permissions
stat -c '%a %n' ~/.azure/az.log
# Expected: 600

# 6. Check command log permissions
stat -c '%a %n' ~/.azure/commands/*.log
# Expected: 600

# 7. Verify content was written
head -3 ~/.azure/commands/*.log

# 8. Negative test — non-owner access (should be denied)
sudo -u nobody cat ~/.azure/az.log
# Expected: cat: /home/<user>/.azure/az.log: Permission denied

sudo -u nobody cat ~/.azure/commands/*.log
# Expected: Permission denied

# 9. Compare with a default-permission file
echo "test" > /tmp/normal.txt
ls -la /tmp/normal.txt ~/.azure/az.log
# Expected:
# -rw-r--r--  /tmp/normal.txt       <-- default: others can read
# -rw-------  ~/.azure/az.log       <-- fixed: owner only

Manual Testing (Windows)

# 1. Enable file logging and run any az command
az config set logging.enable_log_file=true
az account show

# 2. Verify log files are created without errors
Get-ChildItem ~/.azure/az.log
Get-ChildItem ~/.azure/commands/*.log
# Expected: files exist with content, no errors

Test Results

Linux

Test Before Fix After Fix
FileHandler permission 0o644 (-rw-r--r--) 0o600 (-rw-------)
RotatingFileHandler permission 0o644 (-rw-r--r--) 0o600 (-rw-------)
Backup files permission N/A 0o600 (-rw-------)
Non-owner read access Allowed Denied
Non-owner write access Denied Denied
Content written correctly Yes Yes

Windows does not use POSIX file permissions. File access is managed by Windows ACLs. The secure handler works without errors on Windows — the 0o600 mode is a no-op, which is expected and harmless.

History Notes

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented Apr 30, 2026
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented Apr 30, 2026
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Apr 30, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service Bot added the Auto-Assign Auto assign by bot label Apr 30, 2026
@microsoft-github-policy-service microsoft-github-policy-service Bot added ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group act-identity-squad labels Apr 30, 2026
@huiii99 huiii99 changed the title Set log files' permission to 600 while creating {Security} Set log file permissions to 600 on creation Apr 30, 2026
@yonzhan yonzhan assigned huiii99 and unassigned zhoxing-ms Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yonzhan yonzhan Awaiting requested review from yonzhan yonzhan is a code owner

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC will be requested when the pull request is marked ready for review NoriZC is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd will be requested when the pull request is marked ready for review yanzhudd is a code owner

@teresaritorto teresaritorto Awaiting requested review from teresaritorto teresaritorto will be requested when the pull request is marked ready for review teresaritorto is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz will be requested when the pull request is marked ready for review necusjz is a code owner

@DanielMicrosoft DanielMicrosoft Awaiting requested review from DanielMicrosoft DanielMicrosoft will be requested when the pull request is marked ready for review DanielMicrosoft is a code owner

@ReaNAiveD ReaNAiveD Awaiting requested review from ReaNAiveD ReaNAiveD will be requested when the pull request is marked ready for review ReaNAiveD is a code owner

@bebound bebound Awaiting requested review from bebound bebound will be requested when the pull request is marked ready for review bebound is a code owner

@isra-fel isra-fel Awaiting requested review from isra-fel isra-fel will be requested when the pull request is marked ready for review isra-fel is a code owner

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh will be requested when the pull request is marked ready for review notyashhh is a code owner

@xuming-ms xuming-ms Awaiting requested review from xuming-ms xuming-ms will be requested when the pull request is marked ready for review xuming-ms is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

@huiii99 huiii99

Labels

act-identity-squad act-observability-squad act-platform-engineering-squad ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Backup Installation

Projects

None yet

Milestone

June 2026 (2026-06-02)

Development

Successfully merging this pull request may close these issues.

4 participants

@huiii99 @yonzhan @jiasli @zhoxing-ms