Re: Dropping users making output connections.

To: Sthu Deus <sthu.deus@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Dropping users making output connections.
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Tue, 22 May 2012 21:34:32 +0200
Message-id: <[🔎] 4FBBEA48.1010709@plouf.fr.eu.org>
In-reply-to: <4fbb774f.4905cc0a.0bee.5ea1@mx.google.com>
References: <[🔎] 4fb10d82.437d980a.136b.ffffe673@mx.google.com> <[🔎] 4FBAC5E3.2000108@plouf.fr.eu.org> <4fbb774f.4905cc0a.0bee.5ea1@mx.google.com>

[Please make sure you reply to the list]

Sthu Deus a écrit :
> You worte:
> 
>>> Whats' wrong w/ my set up (I want to allow output traffic for the
>>> users that are in the allowed group only):
>>>
>>> iptables -I OUTPUT 1 -m owner ! --gid-owner allowed -j DROP
>>>
>>> but what I get is that all the users including those in the allowed
>>> group are blocked.
>> --gid-owner does not match /any/ group the user sending the packet
>> belongs to ; it matches the group id of the process sending the
>> packet. Unless you change it e.g. with newgrp, the current group id
>> is the user's default group id.
> 
> I did not understand how change it w/ "newgrp".
> 
> Did You mean to include the users to a new group?

No. I mean to run the command in an environment where the command 'id'
would report 'allowed' as the current gid, not only in the list of
groups. For example :

$ newgrp allowed
$ <command>

or

$ sg allowed '<command>'

Reply to:

References:
- Dropping users making output connections.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Dropping users making output connections.
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: why does control-4 generate SIGQUIT in X?
Next by Date: Re: Update-initramfs Most vs Dep
Previous by thread: Re: Dropping users making output connections.
Next by thread: cron-apt, on wheezy, not sending email
Index(es):
- Date
- Thread