[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Restrict Internet Access and User-Groups Management.

On Wednesday 04 March 2009 17:18:20 Luis Maceira wrote:
> A normal user( adduser "normaluser") belongs automatically to the group
> normaluser,and only to this one,
> but he/she can also automatically connect
> to the Internet.

Yes, opening sockets on ports > 1024 is allowed to all users.

> How can the system administrator restrict the Internet
> access to specific users and block all others.

There's no completely standard way, and anything external to the system can't 
really tell what user is responsible for what packets.

> With commands like adduser
> addgroup etc. I don't see how.
> Does it need PAM,Kerberos etc. or is there a more simpler method?

This can be controlled with SELinux and/or AppArmor, I think.  Also, there is 
an iptables "owner" module that should be of some help.  That should allow you 
to reject "normal" outgoing connections from anyone not in a group of your 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: