Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot execute python-iptables (iptc) as non-root user #309

Open
matinats opened this issue Aug 27, 2020 · 2 comments
Open

Cannot execute python-iptables (iptc) as non-root user #309

matinats opened this issue Aug 27, 2020 · 2 comments

Comments

@matinats
Copy link

matinats commented Aug 27, 2020
edited
Loading

I am trying to run the python-iptables as a non-root user.

My script is test.py:

import iptc
import os

uid = os.getuid()
print("Real user ID of the current process:", uid)

table = iptc.Table(iptc.Table.FILTER)
print("Table is:".format(table))

I tried:

  1. Giving the capability CAP_NET_ADMIN to /usr/bin/python2.7 (outcome is: $ getcap /usr/bin/python2.7 /usr/bin/python2.7 = cap_net_admin+eip ) and executing /usr/bin/python2.7 ./test.py
  2. Compiling and running with ambient capabilities as defined in: https://gist.github.com/tomix86/32394a43be70c337cbf1e0c0a56cbd8d and executing ./ambient -c '12' /usr/bin/python2.7 ./test.py
  3. I haven't yet tested with python-prctl but it requires to start as root and then drop privileges which is not possible in my case.

The logs are:

('Real user ID of the current process:', 1000)
Traceback (most recent call last):
File "test.py", line 7, in
table = iptc.Table(iptc.Table.FILTER)
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1566, in new
obj._init(name, autocommit)
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1582, in _init
self.refresh()
File "/usr/lib64/python2.7/site-packages/iptc/ip4tc.py", line 1619, in refresh
self.strerror()))
iptc.ip4tc.IPTCError: can't initialize filter: Permission denied (you must be root)

My kernel is:
$ uname -r
4.4.224-1.el7.elrepo.x86_64

My python version is:
Python 2.7.5

My python-iptables version is:
python-iptables 0.12.0

I can successfully run "iptables -L" as a non-root user but I cannot successfully run iptc python commands as a non-root user.
Could it be failing because it requires additional capabilities?
@tomh4x
Copy link

tomh4x commented Sep 22, 2020

iptables does not work as non-root either, as you're modifying settings in part of the kernel (netfilter). Linux is designed this way.

@theKidOfArcrania
Copy link

Hi, you probably also need the cap_net_raw capability in addition to the cap_net_admin capability. (If you ran strace -e trace=socket python3 -c 'import iptc; iptc.easy.dump_all()' you will see that it will try to open a raw socket (which it will then use setsockopt to do iptable stuff)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomh4x @theKidOfArcrania @matinats