Re: iptables 1.8.8 fails with error code 111 but iptables 1.8.7 succeeds with same script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022-06-17, at 20:02:13 +0530, Amish wrote:
> I use Arch Linux. Apache 2.4.54 and iptables 1.8.8 (nft based).
>
> I have a setuid script, given below, which runs via apache httpd and
> simply calls "iptables -w -nvL INPUT" and gives the output.
>
> But with iptables 1.8.8 it fails with error code 111 (undocumented
> code)
>
> > curl http://127.0.0.1/ipt.e
> EUID = 0, EGID=33
> iptables exited with exit code=111
> iptables exited with exit code=111
>
> It doesn't even print any error message. (not even to httpd error log
> - via stderr)

It is no longer possible to run iptables under seteuid, since it is not
possible to do so safely.  From 1.8.8, iptables checks whether the UID
matches the EUID and exits with 111 if they differ:

  https://git.netfilter.org/iptables/commit/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96

J.

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux