1 |
Hi, I'm having problems with running perl scripts that use IPTables::IPv4 via suid |
2 |
wrapper. Right now, for debugging reasons, I don't use any kernel hardening (like |
3 |
Grsecurity or PaX), but my system was emerged with "hardened" and "pic" USE flags |
4 |
- could that be the problem? |
5 |
|
6 |
Thanks for any help. |
7 |
Jan |
8 |
|
9 |
Here's what's going on: |
10 |
|
11 |
root # cat test.pl |
12 |
#!/usr/bin/perl |
13 |
use IPTables::IPv4; |
14 |
use strict; |
15 |
|
16 |
my $table = IPTables::IPv4::init('filter'); |
17 |
die "cannot initialize filter table!" unless defined $table; |
18 |
|
19 |
|
20 |
root # cat wrap.c |
21 |
#include <stdio.h> |
22 |
|
23 |
int main(int argc, char** argv) |
24 |
{ |
25 |
execl("./test.pl", 0); |
26 |
return 0; |
27 |
} |
28 |
|
29 |
|
30 |
root # gcc -o wrap wrap.c |
31 |
|
32 |
root # chmod u+s wrap |
33 |
|
34 |
root # ./wrap |
35 |
|
36 |
root # su - joe |
37 |
|
38 |
joe $ ./wrap |
39 |
cannot initialize filter table! at ./test.pl line 6. |
40 |
|
41 |
joe $ strace ./wrap |
42 |
... |
43 |
stat64("/etc/perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No such file or |
44 |
directory) |
45 |
stat64("/usr/lib/perl5/site_perl/5.8.6/i686-linux/auto/IPTables/IPv4", 0x80118740) |
46 |
= -1 ENOENT (No such file or directory) |
47 |
stat64("/usr/lib/perl5/site_perl/5.8.6/auto/IPTables/IPv4", 0x80118740) = -1 |
48 |
ENOENT (No such file or directory) |
49 |
stat64("/usr/lib/perl5/site_perl/auto/IPTables/IPv4", 0x80118740) = -1 ENOENT (No |
50 |
such file or directory) |
51 |
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4", |
52 |
{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 |
53 |
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", |
54 |
{st_mode=S_IFREG|0555, st_size=67624, ...}) = 0 |
55 |
stat64("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.bs", |
56 |
{st_mode=S_IFREG|0444, st_size=0, ...}) = 0 |
57 |
open("/usr/lib/perl5/vendor_perl/5.8.6/i686-linux/auto/IPTables/IPv4/IPv4.so", |
58 |
O_RDONLY) = 4 |
59 |
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\'\0"..., 512) = 512 |
60 |
fstat64(4, {st_mode=S_IFREG|0555, st_size=67624, ...}) = 0 |
61 |
mmap2(NULL, 69972, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x40203000 |
62 |
mmap2(0x40213000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, |
63 |
4, 0xf) = 0x40213000 |
64 |
close(4) = 0 |
65 |
mprotect(0x40203000, 65536, PROT_READ|PROT_WRITE) = 0 |
66 |
mprotect(0x40203000, 65536, PROT_READ|PROT_EXEC) = 0 |
67 |
read(3, "", 4096) = 0 |
68 |
close(3) = 0 |
69 |
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted) |
70 |
write(2, "cannot initialize filter table! "..., 53cannot initialize filter table! |
71 |
at ./test.pl line 6. |
72 |
) = 53 |
73 |
exit_group(1) = ? |
74 |
|
75 |
-- |
76 |
gentoo-perl@g.o mailing list |