libxtables: exit if called by setuid executeable

iptables (legacy or nft, doesn't matter) cannot be safely used with
setuid binaries.

Add a safety check for this.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 9fff1e0dc8012389b3b9aba80feee031aa5e9904..b261e97bba3b7b020055caccc60c69a8267f1fd3 100644 (file)
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -245,6 +245,10 @@ static void dlreg_free(void)
 
 void xtables_init(void)
 {
+       /* xtables cannot be used with setuid in a safe way. */
+       if (getuid() != geteuid())
+               _exit(111);
+
        xtables_libdir = getenv("XTABLES_LIBDIR");
        if (xtables_libdir != NULL)
                return;