From 9941716bb109f3bd5e6d2c40ca95da7f550eda43 Mon Sep 17 00:00:00 2001
From: "M. Rehan" <mrehanlm93@gmail.com>
Date: Wed, 8 May 2024 00:41:39 +0500
Subject: [PATCH] Make changes to correct perms on /data

---
 truenas_install/__main__.py | 6 +++++-
 truenas_install/fhs.py      | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/truenas_install/__main__.py b/truenas_install/__main__.py
index 3a63758..ecea7f1 100644
--- a/truenas_install/__main__.py
+++ b/truenas_install/__main__.py
@@ -477,9 +477,13 @@ def main():
 
                     setup_machine_id = configure_serial = True
 
-                # We do not want /data directory to be world readable
+                # We only want /data itself (without contents) and /data/subsystems to be 755
+                # whereas everything else should be 700
                 # Doing this here is important so that we cover both fresh install and upgrade case
                 run_command(["chmod", "-R", "u=rwX,g=,o=", f"{root}/data"])
+                run_command(["chmod", "u=rwx,g=rx,o=rx", os.path.join(root, "data")])
+                if os.path.exists(os.path.join(root, "data/subsystems")):
+                    run_command(["chmod", "-R", "u=rwx,g=rx,o=rx", os.path.join(root, "data/subsystems")])
 
                 if setup_machine_id:
                     with contextlib.suppress(FileNotFoundError):
diff --git a/truenas_install/fhs.py b/truenas_install/fhs.py
index 0d26428..8233be9 100644
--- a/truenas_install/fhs.py
+++ b/truenas_install/fhs.py
@@ -103,7 +103,7 @@ TRUENAS_DATASETS = [
     {
         'name':  'data',
         'options': ['NOSUID', 'NOEXEC', 'NOACL', 'NOATIME'],
-        'mode': 0o700,
+        'mode': 0o755,
         'clone': True,
     },
     {