Amish <anon.amish@xxxxxxxxx> wrote: > I use Arch Linux. Apache 2.4.54 and iptables 1.8.8 (nft based). > > I have a setuid script, given below, which runs via apache httpd and simply > calls "iptables -w -nvL INPUT" and gives the output. > > But with iptables 1.8.8 it fails with error code 111 (undocumented code) > > > curl http://127.0.0.1/ipt.e > EUID = 0, EGID=33 > iptables exited with exit code=111 > iptables exited with exit code=111 I plan to add this to the manual page: iptables will exit immediately with an error code of 111 if it finds that it was called as a setuid-to-root program. iptables cannot be used safely in this manner because it trusts the shared libraries (matches, targets) loaded at run time, the search path can be set using environment variables. > So it appears to be some kind of bug introduced in 1.8.8. Its intentional. > The C script follows: (Can be used for testing) > int my_system(const char *program, char *const argv[]) > { > pid_t pid = fork(); > if (pid==(pid_t)-1) return -1; > if (!pid) { execve(program, argv, environ); exit(127); } iptables evaluates some environment variables and trusts that info. If you absolutely have to do this, re-set environ so that someone else calling this wrapper can't use it to load their own modules/targets. Then add a 'setuid(0)' before execve.
