From 1f0cbc02b93c115141e9ab97a37cd44e2fe1e5c8 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 15 Apr 2026 17:01:56 +0200
Subject: [PATCH 1/2] Only VM media directory needs restricted access

---
 roles/lmn_vm/files/vm-run | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/roles/lmn_vm/files/vm-run b/roles/lmn_vm/files/vm-run
index 454b4c5..3fa4f75 100755
--- a/roles/lmn_vm/files/vm-run
+++ b/roles/lmn_vm/files/vm-run
@@ -125,8 +125,6 @@ create_clone() {
 
 create_printerlist() {
   ## Prepare .printerlist.csv
-  mkdir -p "${VM_MEDIADIR}"
-  chgrp "$(id -g)" "${VM_MEDIADIR}"
   echo "Name;IppURL" > "${VM_MEDIADIR}/.printerlist.csv"
   for p in $(lpstat -v | cut -f 3 -d" " | sed 's/:$//'); do
     echo "$p;ipp://192.168.122.1/printers/$p" >> "${VM_MEDIADIR}/.printerlist.csv"
@@ -208,7 +206,6 @@ EOF
 
 QEMU='qemu:///session'
 
-umask 077
 
 NEWCLONE=0
 PERSISTENT=0
@@ -363,6 +360,8 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
     else
       VMINFO_DIR="/lmn/media/${USER}"
     fi
+    mkdir -p "${VM_MEDIADIR}" -m 700
+    chgrp "$(id -g)" "${VM_MEDIADIR}"
     create_printerlist
     create_mountlist
 
@@ -370,7 +369,7 @@ if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
     [[ "${QEMU}" = 'qemu:///session' ]] && start_virtiofsd
 
     # Create VMInfo Json file
-    #( umask 027; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
+    #( umask 077; ./vm-create-vminfo > "${VMINFO_DIR}/.vminfo.json" )
     # Start vminfo.timer
     systemctl --user restart vminfo.timer
 

From 4b2158b03484ec6994ff910837c75204f4070e59 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Wed, 15 Apr 2026 17:10:10 +0200
Subject: [PATCH 2/2] FVS Fix VM-image permissions

---
 roles/lmn_tmpfixes/tasks/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/lmn_tmpfixes/tasks/main.yml b/roles/lmn_tmpfixes/tasks/main.yml
index 23e0bf8..450d988 100644
--- a/roles/lmn_tmpfixes/tasks/main.yml
+++ b/roles/lmn_tmpfixes/tasks/main.yml
@@ -32,3 +32,6 @@
     state: absent
     purge: true
     autoremove: true
+
+- name: Set VM permissions
+  ansible.builtin.command: chmod -R o+r /lmn/vm