RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. That is no good unless you restricket adding new binaries, or building from source. Gustavo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. That is no good unless you restricket adding new binaries, or building from source. Gustavo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting outbound access?
On Wed, May 15, 2002 at 09:49:08PM -0500, Steve Meyer wrote: I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. I believe you can do this with RSBAC: http://www.rsbac.org/ and a lot more. Make sure that you know what you are getting into, though. Access control at such a fine-grained level can be a lot of work to set up and maintain. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting outbound access?
On Wed, May 15, 2002 at 09:49:08PM -0500, Steve Meyer wrote: I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. If you built your kernel with iptables and CONFIG_IP_NF_MATCH_OWNER, you can add rules to your OUTPUT chain matching specific uids or gids. It won't let you control who can receive data from the network, but it will let you restrict who can send what. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting outbound access?
On Wed, May 15, 2002 at 09:49:08PM -0500, Steve Meyer wrote: I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. I believe you can do this with RSBAC: http://www.rsbac.org/ and a lot more. Make sure that you know what you are getting into, though. Access control at such a fine-grained level can be a lot of work to set up and maintain. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting outbound access?
How about group access privileges on the offending executables? Seems to me to be the natural method of restricting access to stuff. Curt- I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. Thanks in advance Steve Meyer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting outbound access?
On Wed, May 15, 2002 at 09:49:08PM -0500, Steve Meyer wrote: I have a question. Is there any way to restrict outbound access for all but a few users? I know with iptables you can block outbound traffic completely but that wont work in my situation. There are about 150 users of my server and only 3 of them need outbound access so I am kind of in a sticky situation. Any help would be greatly appreciated. If you built your kernel with iptables and CONFIG_IP_NF_MATCH_OWNER, you can add rules to your OUTPUT chain matching specific uids or gids. It won't let you control who can receive data from the network, but it will let you restrict who can send what. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]