From de00d7a6817f579628648c65a1b1930bfc6bab85 Mon Sep 17 00:00:00 2001
From: Mark Ryan <mark.d.ryan@intel.com>
Date: Thu, 13 Sep 2018 09:18:47 +0200
Subject: [PATCH] qemu/image: Reduce permissions of .iso creation dir

The contents of .iso used to bootstrap VMs with cloudinit are
initialised using a precreated, short-lived  directory.  The
permissions on this directory were too lenient.  This commit
restricts access to this directory to the user and his/her group.

Signed-off-by: Mark Ryan <mark.d.ryan@intel.com>
---
 qemu/image.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/qemu/image.go b/qemu/image.go
index 352659adb..b2f906f7c 100644
--- a/qemu/image.go
+++ b/qemu/image.go
@@ -49,8 +49,7 @@ func CreateCloudInitISO(ctx context.Context, scratchDir, isoPath string,
 		_ = os.RemoveAll(configDrivePath)
 	}()
 
-	/* #nosec */
-	err := os.MkdirAll(dataDirPath, 0755)
+	err := os.MkdirAll(dataDirPath, 0750)
 	if err != nil {
 		return fmt.Errorf("Unable to create config drive directory %s : %v",
 			dataDirPath, err)