diff --git a/backport-add-get_permissions-get_owner-get_group-get_user_gro.patch b/backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
new file mode 100644
index 0000000000000000000000000000000000000000..19f909817a5f75566c2ae535f6b0e2bd8156ef71
--- /dev/null
+++ b/backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
@@ -0,0 +1,76 @@
+From 00dbaf1e9ab0e59d81662f0f3561897bef499a3f Mon Sep 17 00:00:00 2001
+From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date: Mon, 9 Aug 2021 16:49:56 +0200
+Subject: [PATCH] add get_permissions/get_owner/get_group/get_user_groups
+
+---
+ cloudinit/util.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index 88d6d53..2379177 100644
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -36,6 +36,7 @@ from errno import ENOENT, ENOEXEC
+ 
+ from base64 import b64decode, b64encode
+ from six.moves.urllib import parse as urlparse
++from typing import List
+ 
+ import six
+ 
+@@ -1887,6 +1888,51 @@ def chmod(path, mode):
+         with SeLinuxGuard(path):
+             os.chmod(path, real_mode)
+ 
++def get_permissions(path: str) -> int:
++    """
++    Returns the octal permissions of the file/folder pointed by the path,
++    encoded as an int.
++
++    @param path: The full path of the file/folder.
++    """
++
++    return stat.S_IMODE(os.stat(path).st_mode)
++
++
++def get_owner(path: str) -> str:
++    """
++    Returns the owner of the file/folder pointed by the path.
++
++    @param path: The full path of the file/folder.
++    """
++    st = os.stat(path)
++    return pwd.getpwuid(st.st_uid).pw_name
++
++
++def get_group(path: str) -> str:
++    """
++    Returns the group of the file/folder pointed by the path.
++
++    @param path: The full path of the file/folder.
++    """
++    st = os.stat(path)
++    return grp.getgrgid(st.st_gid).gr_name
++
++
++def get_user_groups(username: str) -> List[str]:
++    """
++    Returns a list of all groups to which the user belongs
++
++    @param username: the user we want to check
++    """
++    groups = []
++    for group in grp.getgrall():
++        if username in group.gr_mem:
++            groups.append(group.gr_name)
++
++    gid = pwd.getpwnam(username).pw_gid
++    groups.append(grp.getgrgid(gid).gr_name)
++    return groups
+ 
+ def write_file(filename, content, mode=0o644, omode="wb", copy_mode=False):
+     """
+-- 
+2.27.0
+
diff --git a/backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch b/backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8b9f1e241ef5f511c7a959d06e797038a4d454da
--- /dev/null
+++ b/backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
@@ -0,0 +1,89 @@
+From 2fb656fd991d788ed54e098815d93458e46f069e Mon Sep 17 00:00:00 2001
+From: Brett Holman <brett.holman@canonical.com>
+Date: Fri, 24 Nov 2023 15:54:09 +0000
+Subject: [PATCH] fix: Don't loosen the permissions of the log file (#4628)
+
+Reference:https://github.com/canonical/cloud-init/commit/2fb656fd991d788ed54e098815d93458e46f069e
+
+Previous implementations loosened permissions in non-default scenarios.
+
+Fixes GH-4243
+---
+ cloudinit/stages.py            | 15 ++++++++++++++-
+ cloudinit/tests/test_stages.py | 16 ++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/stages.py b/cloudinit/stages.py
+index 633f57a..5e7733a 100644
+--- a/cloudinit/stages.py
++++ b/cloudinit/stages.py
+@@ -15,6 +15,7 @@ from cloudinit.settings import (
+     FREQUENCIES, CLOUD_CONFIG, PER_INSTANCE, RUN_CLOUD_CONFIG)
+ 
+ from cloudinit import handlers
++from contextlib import suppress
+ 
+ # Default handlers (used if not overridden)
+ from cloudinit.handlers.boot_hook import BootHookPartHandler
+@@ -146,13 +147,25 @@ class Init(object):
+     def initialize(self):
+         self._initialize_filesystem()
+ 
++    @staticmethod
++    def _get_strictest_mode(mode_1: int, mode_2: int) -> int:
++        return mode_1 & mode_2
++
+     def _initialize_filesystem(self):
++        mode = 0o640
++
+         util.ensure_dirs(self._initial_subdirs())
+         log_file = util.get_cfg_option_str(self.cfg, 'def_log_file')
+         if log_file:
+             # At this point the log file should have already been created
+             # in the setupLogging function of log.py
+-            util.ensure_file(log_file, mode=0o640, preserve_mode=False)
++            with suppress(OSError):
++                mode = self._get_strictest_mode(
++                    0o640, util.get_permissions(log_file)
++                )
++
++            # set file mode to the strictest of 0o640 and the current mode
++            util.ensure_file(log_file, mode, preserve_mode=False)
+             perms = self.cfg.get('syslog_fix_perms')
+             if not perms:
+                 perms = {}
+diff --git a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py
+index d5c9c0e..42facb7 100644
+--- a/cloudinit/tests/test_stages.py
++++ b/cloudinit/tests/test_stages.py
+@@ -3,6 +3,7 @@
+ """Tests related to cloudinit.stages module."""
+ 
+ import os
++import pytest
+ 
+ from cloudinit import stages
+ from cloudinit import sources
+@@ -341,4 +342,19 @@ class TestInit(CiTestCase):
+         self.init.distro.apply_network_config.assert_called_with(
+             net_cfg, bring_up=True)
+ 
++@pytest.mark.parametrize(
++    "mode_1, mode_2, expected",
++    [
++        (0o777, 0o640, 0o640),
++        (0o640, 0o777, 0o640),
++        (0o640, 0o541, 0o440),
++        (0o111, 0o050, 0o010),
++        (0o631, 0o640, 0o600),
++        (0o661, 0o640, 0o640),
++        (0o453, 0o611, 0o411),
++    ],
++)
++def test_strictest_permissions(mode_1, mode_2, expected):
++    assert expected == stages.Init._get_strictest_mode(mode_1, mode_2)
++
+ # vi: ts=4 expandtab
+-- 
+2.27.0
+
diff --git a/cloud-init.spec b/cloud-init.spec
index 84fbd5d60a464e76edb4f6588b7afff25bb3becb..a6410ddae0153a7d8837fcbd46ca93fa23c37b81 100644
--- a/cloud-init.spec
+++ b/cloud-init.spec
@@ -1,6 +1,6 @@
 Name: cloud-init
 Version: 19.4
-Release: 13
+Release: 14
 Summary: the defacto multi-distribution package that handles early initialization of a cloud instance.
 License: ASL 2.0 or GPLv3
 URL: http://launchpad.net/cloud-init
@@ -23,6 +23,8 @@ Patch12: remove-schema-errors-from-log-for-cloudinit-config-cc_.patch
 Patch13: backport-stages-don-t-reset-permissions-of-cloud-init.log-eve.patch
 Patch14: backport-Create-the-log-file-with-640-permissions-858.patch
 Patch15: backport-CVE-2023-1786-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
+Patch16: backport-fix-Don-t-loosen-the-permissions-of-the-log-file.patch
+Patch17: backport-add-get_permissions-get_owner-get_group-get_user_gro.patch
 
 Patch9000: Fix-the-error-level-logs-displayed-for-the-cloud-init-local-service.patch
 
@@ -131,6 +133,9 @@ fi
 %exclude /usr/share/doc/*
 
 %changelog
+* Thu Dec 14 2023 shixuantong <shixuantong1@huawei.com> - 19.4-14
+- fix: Don't loosen the permissions of the log file
+
 * Wed May 24 2023 fuanan <fuanan3@h-partners.com> - 19.4-13
 - fix CVE-2023-1786