On 17/06/22 20:39, Florian Westphal wrote:
Amish <anon.amish@xxxxxxxxx> wrote:
I use Arch Linux. Apache 2.4.54 and iptables 1.8.8 (nft based).
I have a setuid script, given below, which runs via apache httpd and simply
calls "iptables -w -nvL INPUT" and gives the output.
But with iptables 1.8.8 it fails with error code 111 (undocumented code)
curl http://127.0.0.1/ipt.e
EUID = 0, EGID=33
iptables exited with exit code=111
iptables exited with exit code=111
The C script follows: (Can be used for testing)
int my_system(const char *program, char *const argv[])
{
pid_t pid = fork();
if (pid==(pid_t)-1) return -1;
if (!pid) { execve(program, argv, environ); exit(127); }
iptables evaluates some environment variables and trusts that info.
If you absolutely have to do this, re-set environ so that someone
else calling this wrapper can't use it to load their own
modules/targets.
Then add a 'setuid(0)' before execve.
Great thank you very much for your clarification.
For those who use setuid scripts, here is what I did:
For safety I added this in main() function:
unsetenv("XTABLES_LIBDIR");
unsetenv("IPTABLES_LIB_DIR");
unsetenv("IP6TABLES_LIB_DIR");
And just before execve() I added:
setuid(geteuid());
Hope it helps.
Thanks and regards,
Amish