Quarantining an account from the Internet, or from all networking?
Kevin D. Clark
kevin_d_clark at comcast.net
Tue Aug 17 13:44:03 EDT 2010
Benjamin Scott writes:
> On Tue, Aug 17, 2010 at 8:43 AM, Kevin D. Clark
> > Well, then, you might want to consider replacing every occurence of
> > the DOCREADER binary on your system's disk with a script that
> > basically does this:
> >
> > #!/bin/sh
> > exec sudo -u UNTRUSTED DOCREADER-original "${@}"
>
> Just occurred to me: Couldn't you setgid the binary, and make the
> binary owned by root, group "untrusted" or whatever, mode 755. Right?
That's a better suggestion than mine.
Another way to do all of this would be through a SELinux config. I
have played with this on occasion, but haven't had as much time as I
would like to explore here. It seems to me that this could be a more
fine-grained solution.
Regards,
--kevin
--
alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/
GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E
Wipe him down with gasoline 'til his arms are hard and mean
From now on boys this iron boat's your home
So heave away, boys.
-- Tom Waits
More information about the gnhlug-discuss
mailing list