scripts/vps-create: fix VE_PRVT permissions
Script's $VE_PRVT is something like /vz/private/100.tmp, which will
be renamed into the new container's tree root directory
(/vz/private/100 in this example).
Some templates do not include an entry for "." or "/". When these are
used (with "vzctl create") on a host system with umask 077 (Owl's
default), this resulted in the new system's root directory having
mode 700, and in turn in all sorts of things failing in the system
(useradd, su to a user, etc.) The patch corrects this.
While at it, the patch also sets the perms to 700 temporarily, which
might protect the running tar from attacks on it by a non-root user on
the host system if the user's uid/gid permit for writes into a directory
in the tree being extracted. Of course, if the tarball _does_ have an
entry for "." or "/" with perms 755, such temporary protection may get
undone too soon. So it's just an imperfect hardening measure that
sometimes works and sometimes does not. But it was very cheap to
introduce, so why not. If /vz/private itself is mode 700, then this is
redundant.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
1 file changed