From 8a34fc3d48c467aa196f65eed444ccdc7c02f19f Mon Sep 17 00:00:00 2001
From: Xavier Queralt <xqueralt@redhat.com>
Date: Wed, 27 Nov 2013 20:44:36 +0100
Subject: [PATCH] Enforce permissions in snapshots temporary dir

Live snapshots creates a temporary directory where libvirt driver
creates a new image from the instance's disk using blockRebase.
Currently this directory is created with 777 permissions making this
directory accessible by all the users in the system.

This patch changes the tempdir permissions so they have the o+x
flag set, which is what libvirt needs to be able to write in it and

Closes-Bug: #1227027
Change-Id: I767ff5247b4452821727e92b668276004fc0f84d
---
 nova/virt/libvirt/driver.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index 960e7ce56d24..2feddaff3c02 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -1488,9 +1488,8 @@ class LibvirtDriver(driver.ComputeDriver):
             try:
                 out_path = os.path.join(tmpdir, snapshot_name)
                 if live_snapshot:
-                    # NOTE (rmk): libvirt needs to be able to write to the
-                    #             temp directory, which is owned nova.
-                    utils.execute('chmod', '777', tmpdir, run_as_root=True)
+                    # NOTE(xqueralt): libvirt needs o+x in the temp directory
+                    os.chmod(tmpdir, 0o701)
                     self._live_snapshot(virt_dom, disk_path, out_path,
                                         image_format)
                 else: