On Sat, 10 Jan 2009 09:48:10 -0800 Grant <emailgr...@gmail.com> wrote:
> That sounds good, how can I do that? iptables module "owner" handles that stuff, just "man iptables" if you'll have any trouble. iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT Alternatively, you can use numeric uid or match user group: iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT As simple as that ;) If blocking every possible user is too much trouble or you wish to block just firefox, but not wget to http port for _all_ users (not the same case as emerge from root) you can write a simple SUID wrapper for firefox binary, which changes group to restricted one (but leaves uid and home unchanged), then launches true firefox binary, to which only that group has access. -- Mike Kazantsev // fraggod.net
signature.asc
Description: PGP signature
