On Fri, 2020-02-28 at 16:56 +0100, Michal Privoznik wrote:
+++ b/src/qemu/qemu_shim.c @@ -158,6 +158,12 @@ int main(int argc, char **argv) return 1; } tmproot = true; + + if (chmod(root, S_IRWXU | S_IXGRP | S_IXOTH) < 0) {
I think this is unnecessarily restrictive: the directories that are created right underneath root are all 0755, with the files themselves being mostly 0600, so using 0711 here is only going to add a bit of annoyance rather than actual security I think. Also, and this is a personal preference so feel free to ignore it, I would find using octal values directly more readable. With a more permissive mode used, Reviewed-by: Andrea Bolognani <abologna@redhat.com> -- Andrea Bolognani / Red Hat / Virtualization