1 |
On Sat, 10 Jan 2009 09:48:10 -0800 |
2 |
Grant <emailgrant@×××××.com> wrote: |
3 |
|
4 |
> That sounds good, how can I do that? |
5 |
|
6 |
iptables module "owner" handles that stuff, just "man iptables" if |
7 |
you'll have any trouble. |
8 |
|
9 |
iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT |
10 |
|
11 |
Alternatively, you can use numeric uid or match user group: |
12 |
|
13 |
iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT |
14 |
|
15 |
As simple as that ;) |
16 |
|
17 |
If blocking every possible user is too much trouble or you wish to |
18 |
block just firefox, but not wget to http port for _all_ users (not the |
19 |
same case as emerge from root) you can write a simple SUID wrapper for |
20 |
firefox binary, which changes group to restricted one (but leaves uid |
21 |
and home unchanged), then launches true firefox binary, to which only |
22 |
that group has access. |
23 |
|
24 |
-- |
25 |
Mike Kazantsev // fraggod.net |