[gentoo-perl] IPTables::IPv4 suid problem - gentoo-perl

From:	Jan Dusek <j.d@×××××××××.cz>
To:	gentoo-perl@l.g.o
Subject:	[gentoo-perl] IPTables::IPv4 suid problem
Date:	Sun, 30 Oct 2005 13:57:10
Message-Id:	`4364D126.5030601@most.ujep.cz`

1

Hi, I'm having problems with running perl scripts that use IPTables::IPv4 via suid 

2

wrapper. Right now, for debugging reasons, I don't use any kernel hardening (like 

3

Grsecurity or PaX), but my system was emerged with "hardened" and "pic" USE flags 

4

- could that be the problem?

5

6

Thanks for any help.

7

Jan

8

9

Here's what's going on:

10

11

root # cat test.pl

12

#!/usr/bin/perl

13

use IPTables::IPv4;

14

use strict;

15

16

my $table = IPTables::IPv4::init('filter');

17

die "cannot initialize filter table!" unless defined $table;

18

19

20

root # cat wrap.c

21

#include <stdio.h>

22

23

int main(int argc, char** argv)

24

{

25

   execl("./test.pl", 0);

26

   return 0;

27

}

28

29

30

root # gcc -o wrap wrap.c

31

32

root # chmod u+s wrap

33

34

root # ./wrap

35

36

root # su - joe

37

38

joe $ ./wrap

39

cannot initialize filter table! at ./test.pl line 6.

40

41

joe $ strace ./wrap

42

...

43

stat64("/etc/perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No such file or 

44

directory)

45

stat64("/usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 0x80118740) 

46

= -1 ENOENT (No such file or directory)

47

stat64("/usr/lib/perl5/site_perl/5.8.6/auto/IPTables/IPv4", 0x80118740) = -1 

48

ENOENT (No such file or directory)

49

stat64("/usr/lib/perl5/site_perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No 

50

such file or directory)

51

stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 

52

{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

53

stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", 

54

{st_mode=S_IFREG|0555, st_size=67624, ...}) = 0

55

stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.bs", 

56

{st_mode=S_IFREG|0444, st_size=0, ...}) = 0

57

open("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", 

58

O_RDONLY) = 4

59

read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\'\0"..., 512) = 512

60

fstat64(4, {st_mode=S_IFREG|0555, st_size=67624, ...}) = 0

61

mmap2(NULL, 69972, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x40203000

62

mmap2(0x40213000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 

63

4, 0xf) = 0x40213000

64

close(4)                                = 0

65

mprotect(0x40203000, 65536, PROT_READ|PROT_WRITE) = 0

66

mprotect(0x40203000, 65536, PROT_READ|PROT_EXEC) = 0

67

read(3, "", 4096)                       = 0

68

close(3)                                = 0

69

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = -1 EPERM (Operation not permitted)

70

write(2, "cannot initialize filter table! "..., 53cannot initialize filter table! 

71

at ./test.pl line 6.

72

) = 53

73

exit_group(1)                           = ?

74

75

--

76

gentoo-perl@g.o mailing list

1	Hi, I'm having problems with running perl scripts that use IPTables::IPv4 via suid
2	wrapper. Right now, for debugging reasons, I don't use any kernel hardening (like
3	Grsecurity or PaX), but my system was emerged with "hardened" and "pic" USE flags
4	- could that be the problem?
5
6	Thanks for any help.
7	Jan
8
9	Here's what's going on:
10
11	root # cat test.pl
12	#!/usr/bin/perl
13	use IPTables::IPv4;
14	use strict;
15
16	my $table = IPTables::IPv4::init('filter');
17	die "cannot initialize filter table!" unless defined $table;
18
19
20	root # cat wrap.c
21	#include <stdio.h>
22
23	int main(int argc, char** argv)
24	{
25	execl("./test.pl", 0);
26	return 0;
27	}
28
29
30	root # gcc -o wrap wrap.c
31
32	root # chmod u+s wrap
33
34	root # ./wrap
35
36	root # su - joe
37
38	joe $ ./wrap
39	cannot initialize filter table! at ./test.pl line 6.
40
41	joe $ strace ./wrap
42	...
43	stat64("/etc/perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No such file or
44	directory)
45	stat64("/usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 0x80118740)
46	= -1 ENOENT (No such file or directory)
47	stat64("/usr/lib/perl5/site_perl/5.8.6/auto/IPTables/IPv4", 0x80118740) = -1
48	ENOENT (No such file or directory)
49	stat64("/usr/lib/perl5/site_perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No
50	such file or directory)
51	stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4",
52	{st_mode=S_IFDIR\|0755, st_size=4096, ...}) = 0
53	stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so",
54	{st_mode=S_IFREG\|0555, st_size=67624, ...}) = 0
55	stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.bs",
56	{st_mode=S_IFREG\|0444, st_size=0, ...}) = 0
57	open("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so",
58	O_RDONLY) = 4
59	read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\'\0"..., 512) = 512
60	fstat64(4, {st_mode=S_IFREG\|0555, st_size=67624, ...}) = 0
61	mmap2(NULL, 69972, PROT_READ\|PROT_EXEC, MAP_PRIVATE\|MAP_DENYWRITE, 4, 0) = 0x40203000
62	mmap2(0x40213000, 8192, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_FIXED\|MAP_DENYWRITE,
63	4, 0xf) = 0x40213000
64	close(4) = 0
65	mprotect(0x40203000, 65536, PROT_READ\|PROT_WRITE) = 0
66	mprotect(0x40203000, 65536, PROT_READ\|PROT_EXEC) = 0
67	read(3, "", 4096) = 0
68	close(3) = 0
69	socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted)
70	write(2, "cannot initialize filter table! "..., 53cannot initialize filter table!
71	at ./test.pl line 6.
72	) = 53
73	exit_group(1) = ?
74
75	--
76	gentoo-perl@g.o mailing list

Gentoo Archives: gentoo-perl