Description of problem: When using Cloud-Init (via Run Once) for VM bootstrapping, the `user_data` and `meta_data.json` files on the config-drive have world readable permissions. Since they contain sensitive informations such as root password or SSH auth. key, they should not be readable for everyone. Version-Release number of selected component (if applicable): rhevm-3.3.0-0.35.beta1.el6ev.noarch (is24) How reproducible: 100% Steps to Reproduce: 1. In Webadmin, have a VM and run it via Run Once with some values in Initial Run/Cloud-Init section. 2. On the host the VM is running, search the qemu process for the attached config-drive CD-ROM image (ps aux | grep [q]emu | grep cdrom). It looks like: -drive file=/var/run/vdsm/payload/d80627d0-04f4-48d5-9335-753354c2cc29.8 1b3df31f8697cbeb6accd60218166b7.img,if=none,media=cdrom,id=drive-ide0-1-1,readonly=on,format=raw,serial= 3. Mount the image and check permissions of the meta data and user data files: # mount -t iso9660 -o loop /var/run/vdsm/payload/<config-drive>.img /mnt/cloud-init/ # ls -l /mnt/cloud-init/openstack/latest/ Actual results: -r--r--r--. 1 root root 695 21. lis 17.33 meta_data.json -r--r--r--. 1 root root 291 21. lis 17.33 user_data Expected results: The files should be readable only for root user, not for everyone. Additional info:
this is exposed in the VM as a CDROM so you need permissions for that so not a big deal. Fixing this would require extending the payload feature with user/group and permissions
maybe just by default create a non world-readable files...
Verified upstream in ovirt-engine-3.4.0-0.7.beta2.el6.noarch. Followed reproducer in comment 0 for verification. Results: The files on the attached config-drive are no longer world-readable: # mount -t iso9660 -o loop /var/run/vdsm/payload/11b2841c-03bd-43d8-8d43-4ece2392fee8.62b0aaef2741993fc8bc89d3c3bc4f58.img /mnt/cloud-init/ # ls -l /mnt/cloud-init/openstack/latest/ -rw-r-----. 1 root root 252 Feb 18 11:59 meta_data.json -rw-r-----. 1 root root 222 Feb 18 11:59 user_data
Closing as part of 3.4.0