| 1 |
On Sat, 10 Jan 2009 09:48:10 -0800 |
| 2 |
Grant <emailgrant@×××××.com> wrote: |
| 3 |
|
| 4 |
> That sounds good, how can I do that? |
| 5 |
|
| 6 |
iptables module "owner" handles that stuff, just "man iptables" if |
| 7 |
you'll have any trouble. |
| 8 |
|
| 9 |
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT |
| 10 |
|
| 11 |
Alternatively, you can use numeric uid or match user group: |
| 12 |
|
| 13 |
iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT |
| 14 |
|
| 15 |
As simple as that ;) |
| 16 |
|
| 17 |
If blocking every possible user is too much trouble or you wish to |
| 18 |
block just firefox, but not wget to http port for _all_ users (not the |
| 19 |
same case as emerge from root) you can write a simple SUID wrapper for |
| 20 |
firefox binary, which changes group to restricted one (but leaves uid |
| 21 |
and home unchanged), then launches true firefox binary, to which only |
| 22 |
that group has access. |
| 23 |
|
| 24 |
-- |
| 25 |
Mike Kazantsev // fraggod.net |
Archives