2 files changed, 27 insertions, 4 deletions

diff --git a/lib/leap_cli/ssh/backend.rb b/lib/leap_cli/ssh/backend.rb
index 67c6ec9a..80203b61 100644
--- a/lib/leap_cli/ssh/backend.rb
+++ b/lib/leap_cli/ssh/backend.rb
@@ -4,6 +4,7 @@
 # common exceptions.
 #
 
+require 'stringio'
 require 'timeout'
 require 'sshkit'
 require 'leap_cli/ssh/formatter'
@@ -97,6 +98,28 @@ module LeapCli
         @scripts ||= LeapCli::SSH::Scripts.new(self, @host.hostname)
       end
 
+      #
+      # sshkit just passes upload! and download! to Net::SCP, but Net::SCP
+      # make it impossible to set the file permissions. Here is how the mode
+      # is determined, from upload.rb:
+      #
+      #    mode = channel[:stat] ? channel[:stat].mode & 07777 : channel[:options][:mode]
+      #
+      # The stat info from the file always overrides the mode you pass in options.
+      # However, the channel[:options][:mode] will be applied for pure in-memory
+      # uploads. So, if the mode is set, we convert the upload to be a memory
+      # upload instead of a file upload.
+      #
+      # Stupid, but blame Net::SCP.
+      #
+      def upload!(src, dest, options={})
+        if options[:mode]
+          super(StringIO.new(File.read(src)), dest, options)
+        else
+          super(src, dest, options)
+        end
+      end
+
       private
 
       #
diff --git a/lib/leap_cli/ssh/scripts.rb b/lib/leap_cli/ssh/scripts.rb
index feefdd46..7b76285b 100644
--- a/lib/leap_cli/ssh/scripts.rb
+++ b/lib/leap_cli/ssh/scripts.rb
@@ -88,7 +88,7 @@ module LeapCli
       def install_authorized_keys
         ssh.log :updating, "authorized_keys" do
           mkdirs '/root/.ssh'
-          ssh.upload! LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys', :mode => '600'
+          ssh.upload! LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys', :mode => 0600
         end
       end
 
@@ -105,7 +105,7 @@ module LeapCli
       def install_insecure_vagrant_key
         ssh.log :installing, "insecure vagrant key" do
           mkdirs '/root/.ssh'
-          ssh.upload! LeapCli::Path.vagrant_ssh_pub_key_file, '/root/.ssh/authorized_keys2', :mode => '600'
+          ssh.upload! LeapCli::Path.vagrant_ssh_pub_key_file, '/root/.ssh/authorized_keys2', :mode => 0600
         end
       end
 
@@ -114,8 +114,8 @@ module LeapCli
         node_init_path = File.join(bin_dir, 'node_init')
         ssh.log :running, "node_init script" do
           mkdirs bin_dir
-          ssh.upload! LeapCli::Path.node_init_script, node_init_path, :mode => '500'
-          ssh.stream node_init_path
+          ssh.upload! LeapCli::Path.node_init_script, node_init_path, :mode => 0700
+          ssh.stream node_init_path, :log_wrap => true
         end
       end