On 2022-06-17, at 20:02:13 +0530, Amish wrote: > I use Arch Linux. Apache 2.4.54 and iptables 1.8.8 (nft based). > > I have a setuid script, given below, which runs via apache httpd and > simply calls "iptables -w -nvL INPUT" and gives the output. > > But with iptables 1.8.8 it fails with error code 111 (undocumented > code) > > > curl http://127.0.0.1/ipt.e > EUID = 0, EGID=33 > iptables exited with exit code=111 > iptables exited with exit code=111 > > It doesn't even print any error message. (not even to httpd error log > - via stderr) It is no longer possible to run iptables under seteuid, since it is not possible to do so safely. From 1.8.8, iptables checks whether the UID matches the EUID and exits with 111 if they differ: https://git.netfilter.org/iptables/commit/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96 J.
Attachment:
signature.asc
Description: PGP signature