Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91548 - sys-cluster/ipvsadm unsecure file permission : world readable
Summary: sys-cluster/ipvsadm unsecure file permission : world readable
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4? [] jaervosz
Depends on:
Reported: 2005-05-05 03:05 UTC by eromang
Modified: 2005-05-12 08:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description eromang 2005-05-05 03:05:48 UTC

Ipvsadm is used by Linux Virtual Server to do loadbalacing directly from the kernel.

We provide to our customers such solutions, but they only have a basic user access. We don't won't to give them our knowledge on how to do it from them selve. If they wont to lear ipvsadm they have to read the documentation on test them self this tool.

In fact, a virtual adress is created to hidde the real adress off the real servers.

So the file /var/lib/ipvsadm/rules-save is world readable.

Reproducible: Always
Steps to Reproduce:

Actual Results:  
This file is world readable

Expected Results:  
This file should not be world readable
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-05 09:50:48 UTC
cluster please advise.
Comment 2 Brian Jackson (RETIRED) gentoo-dev 2005-05-05 13:03:51 UTC
It's not anything sensitive, if someone is trying to hide it from their clients, 
it's up to them to set their own permissions.

Of course I'd be willing to accept a better excuse for changing the perms in the 
ebuild if there was one.
Comment 3 Romang 2005-05-05 13:41:59 UTC

Don't understand the philosphie to let world readale such files, same as rules-save for iptables.

This file is only dedicated to root, and only root could manage the load balacing (or a local user with sudo commands). So why give this informations to basic users ? They're is a conflict into giving only ipvsadm command to root, and give access to everybody on the configuration. Non logical.

By default this files should be non users readable, and the sysadmin has to decide to give them access or not. Security by default this is not the concept ?

Is this a better excuse ?

Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-11 07:26:17 UTC
Cluster you propose to close this as WONTFIX?
Comment 5 Martin Holzer (RETIRED) gentoo-dev 2005-05-12 06:28:24 UTC
this is from debian-sarge
clnode2:/var/lib# ls -la /etc/ipvsadm.rules
-rw-r--r--  1 root root 31 Feb  8 11:47 /etc/ipvsadm.rules

i vote for WONTFIX
Comment 6 Martin Holzer (RETIRED) gentoo-dev 2005-05-12 06:48:09 UTC
and this from suse linux
-rwxr-xr-x     root     root           41 Jul  2 17:01 /etc/ipvsadm.rules
Comment 7 Brian Jackson (RETIRED) gentoo-dev 2005-05-12 08:53:29 UTC
so it shall be