The save() function of ipset calls "touch" and "chmod" to create a mode 600 file: save() { ebegin "Saving ipset session" touch "${IPSET_SAVE}" chmod 0600 "${IPSET_SAVE}" ipset save > "${IPSET_SAVE}" eend $? } A single call to "checkpath" from OpenRC (man openrc-run) would be better. It's more portable, being part of OpenRC, but it's also slightly more secure: chmod will follow a symlink and change the mode of a target; checkpath won't. There's no real risk here, but since checkpath is a better choice anyway, the absence of chmod would be reassuring.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ae1990e869c46b56da84d4202d52dfb3ebd21aa commit 3ae1990e869c46b56da84d4202d52dfb3ebd21aa Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2017-11-30 20:28:32 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2017-11-30 20:35:48 +0000 net-firewall/ipset: improve init.d save Closes: https://bugs.gentoo.org/603376 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Package-Manager: Portage-2.3.16, Repoman-2.3.6 net-firewall/ipset/files/ipset.initd-r4 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)