don't create world-readable archives of LXC containers

with the default umask tar will create a world-readable archive of the container, which may contain sensitive data Signed-off-by: Evgeni Golov <evgeni@golov.de>
10 years ago · 6bfd2846f8
parent 719b9b229b
commit 6bfd2846f8
1 changed files with 5 additions and 0 deletions
--- a/cloud/lxc/lxc_container.py
+++ b/cloud/lxc/lxc_container.py
@ -1366,6 +1366,8 @@ class LxcContainerManagement(object):
        :type source_dir: ``str``
        """

+        old_umask = os.umask(0077)
+
        archive_path = self.module.params.get('archive_path')
        if not os.path.isdir(archive_path):
            os.makedirs(archive_path)
@ -1396,6 +1398,9 @@ class LxcContainerManagement(object):
            build_command=build_command,
            unsafe_shell=True
        )
+
+        os.umask(old_umask)
+
        if rc != 0:
            self.failure(
                err=err,