From 1db260f1f55b9e3c55a9d3189d29e4343108cb01 Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Wed, 19 Nov 2025 14:15:54 +0100 Subject: [PATCH] Fix: proper permissions for systemvm template registrations on hardened systems Related to https://github.com/apache/cloudstack/issues/10029#issuecomment-2531599607 We have umask 0077, so cloud-install-sys-tmplt is creating by default paths like below ``` $ ls -l /mnt/secondary/template/tmpl/ total 16 drwx------. 3 root root 4096 Nov 19 13:58 1 drwxrwxrwx. 7 root root 4096 Oct 31 09:42 2 drwxrwxrwx. 3 root root 4096 Oct 30 15:59 4 drwxr-xr-x. 2 root root 4096 Oct 31 10:21 5 $ ls -l /mnt/secondary/template/tmpl/1/ total 4 drwx------. 2 root root 4096 Nov 19 13:59 3 $ ls -l /mnt/secondary/template/tmpl/1/3/ total 549848 -rw-------. 1 root root 563032576 Nov 19 13:59 d23a1e19-c563-4f69-85ca-8721cf02082c.qcow2 -rw-------. 1 root root 287 Nov 19 13:59 template.properties ``` This results to the permissions problems later on, when trying to access the image Signed-off-by: Artem Sidorenko --- scripts/storage/secondary/cloud-install-sys-tmplt | 1 + scripts/storage/secondary/setup-sysvm-tmplt | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/storage/secondary/cloud-install-sys-tmplt b/scripts/storage/secondary/cloud-install-sys-tmplt index ad976c502c69..fc09dc968fff 100755 --- a/scripts/storage/secondary/cloud-install-sys-tmplt +++ b/scripts/storage/secondary/cloud-install-sys-tmplt @@ -44,6 +44,7 @@ failed() { } #set -x +umask 0022 # ensure we have the proper permissions even on hardened deployments mflag= fflag= ext="vhd" diff --git a/scripts/storage/secondary/setup-sysvm-tmplt b/scripts/storage/secondary/setup-sysvm-tmplt index 06f0586fe342..63006cc4e4c2 100755 --- a/scripts/storage/secondary/setup-sysvm-tmplt +++ b/scripts/storage/secondary/setup-sysvm-tmplt @@ -19,6 +19,7 @@ # Usage: e.g. failed $? "this is an error" set -x +umask 0022 # ensure we have the proper permissions even on hardened deployments failed() { local returnval=$1