2 files changed, 20 insertions, 3 deletions

diff --git a/python/vyos/utils/file.py b/python/vyos/utils/file.py
index 667a2464b..9f27a7fb9 100644
--- a/python/vyos/utils/file.py
+++ b/python/vyos/utils/file.py
@@ -134,6 +134,12 @@ def chmod_755(path):
               S_IROTH | S_IXOTH
     chmod(path, bitmask)
 
+def chmod_2775(path):
+    """ user/group permissions with set-group-id bit set """
+    from stat import S_ISGID, S_IRWXU, S_IRWXG, S_IROTH, S_IXOTH
+
+    bitmask = S_ISGID | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH
+    chmod(path, bitmask)
 
 def makedir(path, user=None, group=None):
     if os.path.exists(path):
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 6ebb38e46..77bb6460f 100644
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -19,7 +19,7 @@
 
 from argparse import ArgumentParser, Namespace
 from pathlib import Path
-from shutil import copy, rmtree, copytree
+from shutil import copy, chown, rmtree, copytree
 from sys import exit
 from urllib.parse import urlparse
 
@@ -29,7 +29,9 @@ from vyos.configtree import ConfigTree
 from vyos.remote import download
 from vyos.system import disk, grub, image
 from vyos.template import render
-from vyos.util import ask_input, ask_yes_no, run
+from vyos.utils.io import ask_input, ask_yes_no
+from vyos.utils.file import chmod_2775
+from vyos.util import run
 
 # define text messages
 MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
@@ -391,6 +393,8 @@ def install_image() -> None:
         print('Creating a configuration file')
         target_config_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw/opt/vyatta/etc/config/'
         Path(target_config_dir).mkdir(parents=True)
+        chown(target_config_dir, group='vyattacfg')
+        chmod_2775(target_config_dir)
         # copy config
         if migrate_config():
             copy('/opt/vyatta/etc/config/config.boot', target_config_dir)
@@ -485,9 +489,16 @@ def add_image(image_path: str) -> None:
         # copy config
         if migrate_config():
             print('Copying configuration directory')
-            copytree('/opt/vyatta/etc/config/', target_config_dir)
+            # copytree preserves perms but not ownership:
+            Path(target_config_dir).mkdir(parents=True)
+            chown(target_config_dir, group='vyattacfg')
+            chmod_2775(target_config_dir)
+            copytree('/opt/vyatta/etc/config/', target_config_dir,
+                     dirs_exist_ok=True)
         else:
             Path(target_config_dir).mkdir(parents=True)
+            chown(target_config_dir, group='vyattacfg')
+            chmod_2775(target_config_dir)
             Path(f'{target_config_dir}/.vyatta_config').touch()
 
         # copy system image and kernel files