From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LLpkm-0001bo-Bs for garchives@archives.gentoo.org; Sun, 11 Jan 2009 02:08:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 206FFE03D2; Sun, 11 Jan 2009 02:08:39 +0000 (UTC) Received: from mail.fraggod.net (unknown [91.191.238.58]) by pigeon.gentoo.org (Postfix) with ESMTP id D7B5EE03D2 for ; Sun, 11 Jan 2009 02:08:38 +0000 (UTC) Received: from coercion (coercion.fg_core [IPv6:2001:470:1f0b:11de::13]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.fraggod.net (Postfix) with ESMTPSA id B570C2352C for ; Sun, 11 Jan 2009 07:08:37 +0500 (YEKT) Date: Sun, 11 Jan 2009 07:05:36 +0500 From: Mike Kazantsev To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access Message-ID: <20090111070536.52dece68@coercion> In-Reply-To: <49bf44f10901100948x5ad0087ag93feadefce0385ad@mail.gmail.com> References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <58965d8a0901071354l76bea08o328361031ff58ac8@mail.gmail.com> <854dca5c0901081257u25c6dee0j7871901221592a95@mail.gmail.com> <49bf44f10901091040t6c1920c4kbd504920e256ac20@mail.gmail.com> <20090110101854.4ed996d1@fraggod.net> <49bf44f10901100948x5ad0087ag93feadefce0385ad@mail.gmail.com> X-Mailer: Claws Mail 3.7.0 (GTK+ 2.14.5; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/b3Mgna7_BrWrgIxJ_Vd02ia"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 4eda95f6-20ae-453f-a2a7-82b058839a54 X-Archives-Hash: 954f8933b1bb084908a58df30982e696 --Sig_/b3Mgna7_BrWrgIxJ_Vd02ia Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 10 Jan 2009 09:48:10 -0800 Grant wrote: > That sounds good, how can I do that? iptables module "owner" handles that stuff, just "man iptables" if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j RE= JECT Alternatively, you can use numeric uid or match user group: iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT As simple as that ;) If blocking every possible user is too much trouble or you wish to block just firefox, but not wget to http port for _all_ users (not the same case as emerge from root) you can write a simple SUID wrapper for firefox binary, which changes group to restricted one (but leaves uid and home unchanged), then launches true firefox binary, to which only that group has access. --=20 Mike Kazantsev // fraggod.net --Sig_/b3Mgna7_BrWrgIxJ_Vd02ia Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklpU/UACgkQASbOZpzyXnElswCdELVZjE7SWa0FOBDN9WabyZ4H jsQAoLCB2tK0s0E8kV35bDt75oh84ztI =5CnC -----END PGP SIGNATURE----- --Sig_/b3Mgna7_BrWrgIxJ_Vd02ia--