From c709bceab931261411e7df2ee44181abbe9171ee Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 15 Apr 2026 11:30:41 +0200
Subject: [PATCH] Deny access to sensitive data for other users

---
 roles/lmn_vm/files/vm-run   | 2 ++
 roles/lmn_vm/tasks/main.yml | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/lmn_vm/files/vm-run b/roles/lmn_vm/files/vm-run
index af0bd67..ee366ca 100755
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@@ -208,6 +208,8 @@ EOF
 
 QEMU='qemu:///session'
 
+umask 077
+
 NEWCLONE=0
 PERSISTENT=0
 LIBVIRTOSINFO="win10"
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index e2c312b..7bf0f71 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -222,7 +222,7 @@
       Description=Create .vminfo.json for VMs
       [Service]
       Type=simple
-      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
+      ExecStart=/usr/bin/bash -c 'umask 077; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
     dest: /etc/systemd/user/vminfo.service
     mode: '0644'