Quarantining an account from the Internet, or from all networking?
Kevin D. Clark
kevin_d_clark at comcast.net
Tue Aug 17 08:43:35 EDT 2010
Suggestion: suppose you have setup your system with a uid that is
protected by some iptables rules (call this UNTRUSTED), and futhermore
also suppose that the binary that you really want to protect against
is called "DOCREADER".
Well, then, you might want to consider replacing every occurence of
the DOCREADER binary on your system's disk with a script that
basically does this:
#!/bin/sh
exec sudo -u UNTRUSTED DOCREADER-original "${@}"
You might also want to consider locking this package down from a
package-management-automatic-updates perspective.
--kevin
--
alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/
GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E
Wipe him down with gasoline 'til his arms are hard and mean
From now on boys this iron boat's your home
So heave away, boys.
-- Tom Waits
More information about the gnhlug-discuss
mailing list