Gentoo Archives: gentoo-perl

From: Jan Dusek <j.d@×××××××××.cz>
To: gentoo-perl@l.g.o
Subject: [gentoo-perl] IPTables::IPv4 suid problem
Date: Sun, 30 Oct 2005 13:57:10
Message-Id: 4364D126.5030601@most.ujep.cz
Hi, I'm having problems with running perl scripts that use IPTables::IPv4 via suid 
wrapper. Right now, for debugging reasons, I don't use any kernel hardening (like 
Grsecurity or PaX), but my system was emerged with "hardened" and "pic" USE flags 
- could that be the problem?

Thanks for any help.
Jan

Here's what's going on:

root # cat test.pl
#!/usr/bin/perl
use IPTables::IPv4;
use strict;

my $table = IPTables::IPv4::init('filter');
die "cannot initialize filter table!" unless defined $table;


root # cat wrap.c
#include <stdio.h>

int main(int argc, char** argv)
{
   execl("./test.pl", 0);
   return 0;
}


root # gcc -o wrap wrap.c

root # chmod u+s wrap

root # ./wrap

root # su - joe

joe $ ./wrap
cannot initialize filter table! at ./test.pl line 6.

joe $ strace ./wrap
...
stat64("/etc/perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No such file or 
directory)
stat64("/usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 0x80118740) 
= -1 ENOENT (No such file or directory)
stat64("/usr/lib/perl5/site_perl/5.8.6/auto/IPTables/IPv4", 0x80118740) = -1 
ENOENT (No such file or directory)
stat64("/usr/lib/perl5/site_perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No 
such file or directory)
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 
{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", 
{st_mode=S_IFREG|0555, st_size=67624, ...}) = 0
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.bs", 
{st_mode=S_IFREG|0444, st_size=0, ...}) = 0
open("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", 
O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\'\0"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0555, st_size=67624, ...}) = 0
mmap2(NULL, 69972, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x40203000
mmap2(0x40213000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 
4, 0xf) = 0x40213000
close(4)                                = 0
mprotect(0x40203000, 65536, PROT_READ|PROT_WRITE) = 0
mprotect(0x40203000, 65536, PROT_READ|PROT_EXEC) = 0
read(3, "", 4096)                       = 0
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)
write(2, "cannot initialize filter table! "..., 53cannot initialize filter table! 
at ./test.pl line 6.
) = 53
exit_group(1)                           = ?

-- 
gentoo-perl@g.o mailing list