On Wednesday 04 March 2009 17:18:20 Luis Maceira wrote: > A normal user( adduser "normaluser") belongs automatically to the group > normaluser,and only to this one, > but he/she can also automatically connect > to the Internet. Yes, opening sockets on ports > 1024 is allowed to all users. > How can the system administrator restrict the Internet > access to specific users and block all others. There's no completely standard way, and anything external to the system can't really tell what user is responsible for what packets. > With commands like adduser > addgroup etc. I don't see how. > Does it need PAM,Kerberos etc. or is there a more simpler method? This can be controlled with SELinux and/or AppArmor, I think. Also, there is an iptables "owner" module that should be of some help. That should allow you to reject "normal" outgoing connections from anyone not in a group of your choosing. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.