Ipvsadm is used by Linux Virtual Server to do loadbalacing directly from the kernel.
We provide to our customers such solutions, but they only have a basic user access. We don't won't to give them our knowledge on how to do it from them selve. If they wont to lear ipvsadm they have to read the documentation on test them self this tool.
In fact, a virtual adress is created to hidde the real adress off the real servers.
So the file /var/lib/ipvsadm/rules-save is world readable.
Steps to Reproduce:
This file is world readable
This file should not be world readable
cluster please advise.
It's not anything sensitive, if someone is trying to hide it from their clients,
it's up to them to set their own permissions.
Of course I'd be willing to accept a better excuse for changing the perms in the
ebuild if there was one.
Don't understand the philosphie to let world readale such files, same as rules-save for iptables.
This file is only dedicated to root, and only root could manage the load balacing (or a local user with sudo commands). So why give this informations to basic users ? They're is a conflict into giving only ipvsadm command to root, and give access to everybody on the configuration. Non logical.
By default this files should be non users readable, and the sysadmin has to decide to give them access or not. Security by default this is not the concept ?
Is this a better excuse ?
Cluster you propose to close this as WONTFIX?
this is from debian-sarge
clnode2:/var/lib# ls -la /etc/ipvsadm.rules
-rw-r--r-- 1 root root 31 Feb 8 11:47 /etc/ipvsadm.rules
i vote for WONTFIX
and this from suse linux
-rwxr-xr-x root root 41 Jul 2 17:01 /etc/ipvsadm.rules
so it shall be