On Mon, May 15, 2017 at 10:27 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
Kinda surprised this didn't generate some immediate discussion... I would also think that if you had a desire to change defaults you'd also have a libvirt.spec.in adjustment...
Actually no it doesn't - the spec file is already marking /var/lib/libvirt/images as 0711.
As reference that is the current spec content: libvirt.spec.in:1745:%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
Still 0755 or umask(022) seem to be fairly prevalent setting and having the <mode> for the XML to be able to override a default certainly gives credence to arguments in either direction whether or not to change the defaults.
It's been a long while since I considered system/directory/file security things, but I have this faint recollection of some strange issue when not having world or group "executable" as a default.
The fact that RPM spec ships with 0711 show that it works ok. So I think this change is reasonable.
Interesting, I didn't check the RPM spec - thanks Daniel to point this out. It is 711 on Ubuntu as well for quite some time now. Both together make this even less likely to have hidden drawbacks. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd