Re: [PATCH] security: use secure_getenv() to prevent env-var privilege escalation

public inbox for netfilter-devel@vger.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Alan Ross <alan@sleuthco.ai>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] security: use secure_getenv() to prevent env-var privilege escalation
Date: Wed, 11 Feb 2026 18:06:10 +0100	[thread overview]
Message-ID: <aYy3ApR8MskC805m@strlen.de> (raw)
In-Reply-To: <CAKgz23Gtsg4HGV8qqk7OovcK21ZdpwNzEnzoPzqrW=5eE6jV_w@mail.gmail.com>

Alan Ross <alan@sleuthco.ai> wrote:
> Hi netfilter team,
> 
>   iptables uses getenv() to read XTABLES_LIBDIR, IPTABLES_LIB_DIR,
>   IP6TABLES_LIB_DIR, XTABLES_LOCKFILE, and EBTABLES_SAVE_COUNTER. Since
>   iptables runs as root, these become local privilege escalation vectors:

If someone can set up your environment they can also set up
LD_PRELOAD and PATH.

>   This patch replaces getenv() with secure_getenv() for all 5 variables.
>   secure_getenv() returns NULL when AT_SECURE is set by the kernel (for
>   setuid, setgid, or capability-elevated binaries), blocking env-var
>   injection without affecting normal unprivileged usage.

iptables requires CAP_NET_ADMIN to work and it was never designed to work
with setuid-to-root.

What kind of scenario/setup needs this patch?

next prev parent reply	other threads:[~2026-02-11 17:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-11 14:19 [PATCH] security: use secure_getenv() to prevent env-var privilege escalation Alan Ross
2026-02-11 17:06 ` Florian Westphal [this message]
     [not found]   ` <CAKgz23Hendu+Y=rhSwupr30Vf0JuJS5b6D-vp8A0TAC2swA-Bw@mail.gmail.com>
2026-02-11 19:03     ` Florian Westphal
     [not found]       ` <CAKgz23GWzqiryJwfjJyf7ObTkAnLciFZ6vKXcxACtm-N8xZi-w@mail.gmail.com>
2026-02-12  0:18         ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aYy3ApR8MskC805m@strlen.de \
    --to=fw@strlen.de \
    --cc=alan@sleuthco.ai \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox