A normal user( adduser "normaluser") belongs automatically to the group
normaluser,and only to this one,but he/she can also automatically connect
to the Internet.How can the system administrator restrict the Internet
access to specific users and block all others.With commands like adduser
addgroup etc. I don't see how.
Does it need PAM,Kerberos etc. or is there a more simpler method?





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wednesday 04 March 2009 17:18:20 Luis Maceira wrote:
> A normal user( adduser "normaluser") belongs automatically to the group
> normaluser,and only to this one,
> but he/she can also automatically connect
> to the Internet.

Yes, opening sockets on ports > 1024 is allowed to all users.

> How can the system administrator restrict the Internet
> access to specific users and block all others.

There's no completely standard way, and anything external to the system can't
really tell what user is responsible for what packets.

> With commands like adduser
> addgroup etc. I don't see how.
> Does it need PAM,Kerberos etc. or is there a more simpler method?

This can be controlled with SELinux and/or AppArmor, I think. Also, there is
an iptables "owner" module that should be of some help. That should allow you
to reject "normal" outgoing connections from anyone not in a group of your
choosing.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/