Comment 5 for bug 691590

@Clint: zsync does the same (writes the updated file to a temp, then renames/unlinks/whatever -- did not check the source).

@Jamie: I just tried with qemu.conf setting user/group to root -- the ISO gets chown-ed to root:root, 0600. So, no dice here. Nevertheless, my whole point is it does not make much sense, security-wise, to chown a read-only file: it is an ISO image, and it is mounted on the CDROM:

        <devices>
                <disk type='file' device='disk'>
                        <driver name='qemu' type='qcow2'/>
                        <source file='/var/lib/ubuntu-server-iso-testing/tests/819f2dd9-0041-48aa-8dfe-c5899f2cafe7/disk1.qcow2'/>
                        <target dev='vda' bus='virtio'/>
                </disk>
                <disk type='file' device='cdrom'>
                        <source file='/var/lib/ubuntu-server-iso-testing/isos/ubuntu-server/natty-server-amd64.iso'/>
                        <target dev='hdc'/><readonly/>
                </disk>
(...)
        </devices>

If the file is never chown-ed to libvirt:kvm/whatever, then there is no race -- the file will keep the current ownership. Obviously, this does not apply to the qcow2 disc -- there is a clear exposure there. Now, why does libvirt in user-mode also chown the discs? I would expect the user-mode to run under the control (and ownership, at least for the disc images) of the effective userId that started the VM.