| 1 |
> Grant <emailgrant@×××××.com> wrote: |
| 2 |
> |
| 3 |
>> That sounds good, how can I do that? |
| 4 |
> |
| 5 |
> iptables module "owner" handles that stuff, just "man iptables" if |
| 6 |
> you'll have any trouble. |
| 7 |
> |
| 8 |
> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT |
| 9 |
> |
| 10 |
> Alternatively, you can use numeric uid or match user group: |
| 11 |
> |
| 12 |
> iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT |
| 13 |
> |
| 14 |
> As simple as that ;) |
| 15 |
> |
| 16 |
> If blocking every possible user is too much trouble or you wish to |
| 17 |
> block just firefox, but not wget to http port for _all_ users (not the |
| 18 |
> same case as emerge from root) you can write a simple SUID wrapper for |
| 19 |
> firefox binary, which changes group to restricted one (but leaves uid |
| 20 |
> and home unchanged), then launches true firefox binary, to which only |
| 21 |
> that group has access. |
| 22 |
> |
| 23 |
> -- |
| 24 |
> Mike Kazantsev // fraggod.net |
| 25 |
|
| 26 |
Thanks Mike, that sounds like exactly what I should do. |
| 27 |
|
| 28 |
- Grant |
Archives