Deny access to sensitive data for other users

2026-04-15 11:30:41 +02:00 · 2026-04-15 11:30:41 +02:00 · c709bceab9
commit c709bceab9
parent 55fbda871c
2 changed files with 3 additions and 1 deletions
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@ -208,6 +208,8 @@ EOF

 QEMU='qemu:///session'

+umask 077
+
 NEWCLONE=0
 PERSISTENT=0
 LIBVIRTOSINFO="win10"
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@ -222,7 +222,7 @@
      Description=Create .vminfo.json for VMs
      [Service]
      Type=simple
-      ExecStart=/usr/bin/bash -c 'umask 027; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
+      ExecStart=/usr/bin/bash -c 'umask 077; /usr/local/bin/vm-vminfo > "{% if localhome %}/home{% else %}/lmn/media{% endif %}/${USER}/.vminfo.json"'
    dest: /etc/systemd/user/vminfo.service
    mode: '0644'