Ciel does not guarantee the root of nspawn containers to have the correct permissions

[poscat0x04]

Summary

When creating an nspawn container ciel does not guarantee the correct permission of the root of container, which should have at least 551 for services inside the container to function.

Cause

1. ciel does not validate the permission of the directories .ciel/container/instances/<instance>/layers/{diff{,.tmp},local} when creating them. And while unsquashfs guarantees the root of the base image to have the correct permission, this causes incorrect permissions of the root directory of the container when these directories are layered on top of the base image.
2. AOSC by default sets it's umask to 0077 in /etc/login.defs. But only bash shells default their umask to 0002 (see /etc/bashrc.d/20-shell.sh). And since sudo inherits the umask of the calling environment (at least by default), this means when using any shell other than bash to run ciel, the aforementioned directories won't have the executable bit set.

Reproducing

1. Run umask 0077 to simulate the behavior of every non-bash shell.
2. Create a new directory and cd into it.
3. Run sudo ciel init.
4. Run sudo ciel load-os.
5. Run sudo ciel config -g.
6. Run sudo ciel add default.
7. Run sudo ciel shell -i default, which should fail with Failed to start transient service unit: Failed to activate service 'org.freedesktop.systemd1': timed out (service_start_timeout=25000ms). The container's journal should be available under default/var/log/journal/<machine-id>/system.journal and should look something like this (journal file)

Currently possible workarounds

1. Use chmod 755 on the container root after mounting
2. Run umask 0022 before running ciel