Re: iptables 1.8.8 fails with error code 111 but iptables 1.8.7 succeeds with same script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 17/06/22 20:39, Florian Westphal wrote:
Amish <anon.amish@xxxxxxxxx> wrote:
I use Arch Linux. Apache 2.4.54 and iptables 1.8.8 (nft based).

I have a setuid script, given below, which runs via apache httpd and simply
calls "iptables -w -nvL INPUT" and gives the output.

But with iptables 1.8.8 it fails with error code 111 (undocumented code)

curl http://127.0.0.1/ipt.e
EUID = 0, EGID=33
iptables exited with exit code=111
iptables exited with exit code=111

The C script follows: (Can be used for testing)
int my_system(const char *program, char *const argv[])
{
     pid_t pid = fork();
     if (pid==(pid_t)-1) return -1;
     if (!pid) { execve(program, argv, environ); exit(127); }
iptables evaluates some environment variables and trusts that info.
If you absolutely have to do this, re-set environ so that someone
else calling this wrapper can't use it to load their own
modules/targets.

Then add a 'setuid(0)' before execve.

Great thank you very much for your clarification.

For those who use setuid scripts, here is what I did:

For safety I added this in main() function:

unsetenv("XTABLES_LIBDIR");
unsetenv("IPTABLES_LIB_DIR");
unsetenv("IP6TABLES_LIB_DIR");

And just before execve() I added:
setuid(geteuid());

Hope it helps.

Thanks and regards,

Amish




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux