[Pkg-libvirt-maintainers] Bug#680463: virtinst: disk-images with a+x permissions
Ron
ron at debian.org
Sun Jun 29 06:55:03 UTC 2014
Hi,
If virt-install tool creates a new disk image, it gets world readable
and executable permission, neither of which it needs, and the former
of which could be a security hole on some systems.
It would appear the reason for this is that python's os.open() defaults
to mode 0777 if none is explicitly specified. Which is how it is used
in the virt-install code.
I've just sent a patch to fix this to the upstream list against the
current git head. I'm not sure what your plans are for getting the
current release out of experimental and in to jessie, but fixing this
for the version in sid would be reasonably trivial too.
Just grep for O_CREAT, and in the 4 places it is found add ', 0640'
to the open() call. The disk images shouldn't need any more generous
permission than that.
Cheers,
Ron
More information about the Pkg-libvirt-maintainers
mailing list