Restrict Internet Access and User-Groups Management.
On Wednesday 04 March 2009 17:18:20 Luis Maceira wrote:
> A normal user( adduser "normaluser") belongs automatically to the group
> normaluser,and only to this one,
> but he/she can also automatically connect
> to the Internet.
Yes, opening sockets on ports > 1024 is allowed to all users.
> How can the system administrator restrict the Internet
> access to specific users and block all others.
There's no completely standard way, and anything external to the system can't
really tell what user is responsible for what packets.
> With commands like adduser
> addgroup etc. I don't see how.
> Does it need PAM,Kerberos etc. or is there a more simpler method?
This can be controlled with SELinux and/or AppArmor, I think. Also, there is
an iptables "owner" module that should be of some help. That should allow you
to reject "normal" outgoing connections from anyone not in a group of your
Boyd Stephen Smith Jr. ,= ,-_-. =.
firstname.lastname@example.org ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'