Quarantining an account from the Internet, or from all networking?

Bill Sconce sconce at in-spec-inc.com
Tue Aug 17 20:55:40 EDT 2010 

On Tue, 17 Aug 2010 11:35:59 -0400
Benjamin Scott <dragonhawk at gmail.com> wrote:


>   It sounds like what he really wants to do is sandbox an untrusted application.
> 
>   For example, if you don't trust Adobe Reader, you might want to deny
> all network I/O to it.

That's it. 

[A virtual machine would also do the job.

[But just a user account in which to run Adobe Reader, a user account for
which the kernel refuses to pass any packets out to the network, is
considerably lighter weight. In fact, the machine in question, my
laptop, is old enough to not support the virtualization hardware
instructions. It does run virtualized machines, but SLOOOWWWWWLY.]

I promised to report back on iptables.

>> Success! <<

I created an account, then did several ad hoc tests. I used "whois",
before and after setting "-j DROP" (reproduced below), ran Firefox
before and after ditto, and did some trials of SSH on the LAN and
on the WAN. In every case the network is there when the "-j DROP"
rule below isn't in effect, and not accessible when "-j DROP" is
in effect.  And evince (which is what I usually use to read PDFs)
works without complaint, at least on the first few PDFs (local
files!) I tried. I suppose I'll try the real Adobe Reader(tm) at
some point, but for now, this is exactly what I hoped for.

Test summary:
Any program run as the user "sconce_nonet", with the iptables
rule below in effect, cannot send IP packets to the net, WAN
or LAN. Programs running as other users are not affected.
Perfect.

Thanks again, guys!

-Bill

______________________________________________________________
$ sudo adduser --force-badname --uid 609 sconce_nonet
   [...]

$ sudo -H -u sconce_nonet -s

sconce_nonet at laura:~$ ls -l
total 0


sconce_nonet at laura:~$ # Test that the newly-created account can reach the net
sconce_nonet at laura:~$ whois google.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Server Name: GOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
   IP Address: 209.126.190.70
   Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com

   Server Name: GOOGLE.COM.ZZZZZZ.THE.BEST.WEBHOSTING.AT.WWW.FATUCH.COM
   IP Address: 209.126.190.70
   Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com

   Server Name: GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
      [...and so on for a while. I am not making this up.]

sconce_nonet at laura:~$ # Test that iptables can shut off access to the net
sconce_nonet at laura:~$ sudo iptables -A OUTPUT -o eth0 -m owner --uid-owner 609 -j DROP

sconce_nonet at laura:~$ whois google.com
getaddrinfo(whois.crsnic.net): Name or service not known
      [...]

More information about the gnhlug-discuss mailing list