Quarantining an account from the Internet, or from all networking?
Bill Sconce
sconce at in-spec-inc.com
Mon Aug 16 16:56:32 EDT 2010
Does anyone know of a way to prevent a Linux account from accessing
the Internet?
E.g., setting a [per-user] gateway to nil, or setting permissions
on some node along the path to eth0?
It's acceptable to be crude, to prevent such an account from
using any network services whatsoever.
I can see how to do it brute-forcefully, by wrapping each focus
into such a user's process [window] with a script which invokes
"ifdown eth0", and invokes "ifup eth0" on the way back out. But
that's ugly; something like a permissions-based approach would
be much more Linux-like.
(The intention is to quarantine a very-untrusted application,
for example a program which runs Flash, or any program which
displays PDFs, or any other blobs-downloaded-from-the-'net.
Adobe Reader(tm), I'm talking to you.)
It all has to do with a talk I should do someday, and which has
gotten a fresh kick from Eben Moglen's talk at LinuxCon...
Many thanks!
-Bill
More information about the gnhlug-discuss
mailing list