Comment 18 for bug 1129748

The way I would usually expect distributions to try and solve situations like this is to define a common openstack-images system group, add the nova and qemu users to it, make the containing directory setgid owned by nova with group openstack-images, and set an appropriately strict umask when calling nova so that it creates group-readable but non-world-readable files. As long as there are ways to convince nova to obey setgid and umask (assuming it doesn't already), this should be doable, right?