Quarantining an account from the Internet, or from all networking?

Ryan Stanyan ryan.stanyan at gmail.com
Mon Aug 16 17:14:20 EDT 2010


On Aug 16, 2010, at 4:56 PM, Bill Sconce wrote:

> Does anyone know of a way to prevent a Linux account from accessing
> the Internet?
>
> E.g., setting a [per-user] gateway to nil, or setting permissions
> on some node along the path to eth0?
>
> It's acceptable to be crude, to prevent such an account from
> using any network services whatsoever.
>
> I can see how to do it brute-forcefully, by wrapping each focus
> into such a user's process [window] with a script which invokes
> "ifdown eth0", and invokes "ifup eth0" on the way back out. But
> that's ugly; something like a permissions-based approach would
> be much more Linux-like.
>
> (The intention is to quarantine a very-untrusted application,
> for example a program which runs Flash, or any program which
> displays PDFs, or any other blobs-downloaded-from-the-'net.
> Adobe Reader(tm), I'm talking to you.)
>
> It all has to do with a talk I should do someday, and which has
> gotten a fresh kick from Eben Moglen's talk at LinuxCon...
>
> Many thanks!
>
> -Bill
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Bill,

I don't have anything in particular in mind, but I remember a quick  
and dirty way to go about this is to use the down option in ifconfig  
if you have it.

e.g. ifconfig eth0 down

-Ryan



More information about the gnhlug-discuss mailing list