etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix: proper permissions for systemvm template registrations on hardened systems (#12098) 

Related to https://github.com/apache/cloudstack/issues/10029#issuecomment-2531599607

We have umask 0077, so cloud-install-sys-tmplt is creating by default paths like below

```
$ ls -l /mnt/secondary/template/tmpl/
total 16
drwx------. 3 root root 4096 Nov 19 13:58 1
drwxrwxrwx. 7 root root 4096 Oct 31 09:42 2
drwxrwxrwx. 3 root root 4096 Oct 30 15:59 4
drwxr-xr-x. 2 root root 4096 Oct 31 10:21 5
$ ls -l /mnt/secondary/template/tmpl/1/
total 4
drwx------. 2 root root 4096 Nov 19 13:59 3
$ ls -l /mnt/secondary/template/tmpl/1/3/
total 549848
-rw-------. 1 root root 563032576 Nov 19 13:59 d23a1e19-c563-4f69-85ca-8721cf02082c.qcow2
-rw-------. 1 root root       287 Nov 19 13:59 template.properties
```

This results to the permissions problems later on, when trying to access the image

Signed-off-by: Artem Sidorenko <artem.sidorenko@telekom.de>
This commit is contained in:
Artem Sidorenko 2026-01-26 10:21:47 +01:00 committed by GitHub
parent 4adb719570
commit 0958dfc138
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
scripts/storage/secondary/cloud-install-sys-tmplt
View File

@ -44,6 +44,7 @@ failed() {
}
#set -x
umask 0022 # ensure we have the proper permissions even on hardened deployments
mflag=
fflag=
ext="vhd"

1
scripts/storage/secondary/setup-sysvm-tmplt
View File

@ -19,6 +19,7 @@
# Usage: e.g. failed $? "this is an error"
set -x
umask 0022 # ensure we have the proper permissions even on hardened deployments
failed() {
local returnval=$1