chmod can do it, you don't need find.
Use symbolic mode and capital X.
chmod -R u=rwX,og=rX directory
alternately to avoid repetition, and make easier to edit. We can made it action orientated, instead of role orientated.
chmod -R a=rX,u+w directory
The capital X tells chmod to apply x to directories, (and if it already has it, if you do for example go+X).
Manual extract:
The format of a symbolic mode is [ugoa...][[+-=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can be given, separated by commas.
A combination of the letters ugoa controls which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect is as if a were given, but bits that are set in the umask are not affected.
The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; - causes them to be removed; and = causes them to be added and causes unmentioned bits to be removed except that a directory's unmentioned set user and group ID bits are not affected.
The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t). Instead of one or more of these letters, you can specify exactly one of the letters ugo: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o).
I realize this is a very old post but I just recently solved this exact problem by submitting patches to libvirt. Starting in libvirt v6.10, you'll be able to specify the "fmode" and "dmode" options on 9pfs shares which control the default host permissions on files and directories, respectively.
If you can't run v6.10, I found a workaround using the qemu:commandline feature of libvirt's XML domain to pass the raw QEMU flags. I wrote a blog post about how to do this but the quick version is to put something like
<commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
<arg value="-fsdev"/>
<arg value="local,security_model=mapped,id=fsdev-fs0,path=/path/to/share,fmode=0644,dmode=0755"/>
<arg value="-device"/>
<arg value="virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=sharename,bus=pci.6,addr=0x0"/>
</commandline>
into your domain XML as a child of "domain." The blog post goes into more detail about the values but you may need to tweak fsdev-fs0, fs0, and sharename to fit your domain.
Best Answer
Talked to the infrastructure people, and the answer is that there are extended ACLs in place that act differently based on location, and that they were erroneously set.