Re: Allow full port access on one IP to a sub-user

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 12/01/02 

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sun, 01 Dec 2002 12:15:47 +0100

Fredderic wrote:
>
> > > 1) decisions based on the executable being run (preferably by
> > > converting PID to device/inode, and looking it up in a "compiled"
> > > list built from a list of filenames and their permissions, and
> > > preferably allowing a bunch of executables to optinally be grouped
> > > together)
> > > 2) decisions based on username (uid) and/or group (gid).
> > I don't know if this is even possible.
>
> For a remote firewall, not really. Definately not practical, without
> implementing a "hyper-ip" protocol

Actually somebody has done exactly that.

> or a daemon process on the users system

Could the existing identd daemon be used?

>
> And I'm still fairly curtain I saw at least an experimental iptables module
> that could filter outbound packets based on pid. It's only one step from
> pid, to uid/gid.

The owner module can do all that, but only for locally generated
packets. It can filter based on uid, gid, pid, and sid. 

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
char *mybuf[1==1]; (2==3)[mybuf]="Hello World!";
Quantcast