1 |
> Grant <emailgrant@×××××.com> wrote: |
2 |
> |
3 |
>> That sounds good, how can I do that? |
4 |
> |
5 |
> iptables module "owner" handles that stuff, just "man iptables" if |
6 |
> you'll have any trouble. |
7 |
> |
8 |
> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT |
9 |
> |
10 |
> Alternatively, you can use numeric uid or match user group: |
11 |
> |
12 |
> iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT |
13 |
> |
14 |
> As simple as that ;) |
15 |
> |
16 |
> If blocking every possible user is too much trouble or you wish to |
17 |
> block just firefox, but not wget to http port for _all_ users (not the |
18 |
> same case as emerge from root) you can write a simple SUID wrapper for |
19 |
> firefox binary, which changes group to restricted one (but leaves uid |
20 |
> and home unchanged), then launches true firefox binary, to which only |
21 |
> that group has access. |
22 |
> |
23 |
> -- |
24 |
> Mike Kazantsev // fraggod.net |
25 |
|
26 |
Thanks Mike, that sounds like exactly what I should do. |
27 |
|
28 |
- Grant |