| View previous topic :: View next topic |
| Author |
Message |
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
 Posted: Wed Dec 08, 2010 9:21 am Post subject: restricting user network access |
 |
|
Hi,
I need to set up a restricted user account that will not have access to the internet.
| Code: | $ groups
disk floppy man audio cdrom video cdrw usb users
$ ping google.com
PING google.com (74.125.230.83) 56(84) bytes of data.
64 bytes from 74.125.230.83: icmp_seq=1 ttl=56 time=83.9 ms
64 bytes from 74.125.230.83: icmp_seq=2 ttl=56 time=85.2 ms
^C
|
I don't see anything in those groups what would give the user net access . Presumably if he can ping google he has access.
What am I not understanding about groups?
TIA, Gentree. 
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
 |
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Wed Dec 08, 2010 7:19 pm Post subject: |
|
|
By default, anyone can send data though any interface which there is route.
However, iptables does have an "owner" match extension you might want to look into, but do note not ever packet generating by that user/group use may be caught be it, since they may go though a less direct path. (For example, ping is setuid, so they may still be able to ping)
More robust solutions exist, but they are much more complicated, involving quite a bit of infrastructure (like RADIUS). |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
