The init script for ebtables uses touch and chmod to create a file with mode 0600: save() { ebegin "Saving ebtables state" touch "${ebtables_save}" chmod 0600 "${ebtables_save}" ... A call to "checkpath" from OpenRC (man openrc-run) would be more appropriate there. It's more portable, being part of OpenRC, and more secure. There's no issue here, but in general, chmod will follow symlinks and so calling it automatically as root in an init script is asking for trouble.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183aaaf64658625cb006b7cadb33e3a27e8fa496 commit 183aaaf64658625cb006b7cadb33e3a27e8fa496 Author: Mike Frysinger <vapier@chromium.org> AuthorDate: 2021-02-09 15:48:43 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-02-09 15:58:04 +0000 net-firewall/ebtables: switch init to checkpath #603268 This makes the code a little simpler & more robust, and avoids creating /var paths at install time. Fixes: https://bugs.gentoo.org/603268 Signed-off-by: Mike Frysinger <vapier@gentoo.org> net-firewall/ebtables/ebtables-2.0.11-r3.ebuild | 1 - net-firewall/ebtables/files/ebtables.initd-r1 | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-)