I mentioned "Warner Bros." in my re-post. That may be current news today,
but to leave a cookie crumb for later (e.g. if/when a presentation on
this subject happens), here are wayback URLs/notes. These are far from
the only news stories about Flash; they just happened to be the ones
which were curr
[Note: this is a re-send of my post describing why I'd asked
about quarantining. It's been called to my attention that the
footnote I put in at "(*)" in the original was subject to
misinterpretation. I apologize; my remark was meant to be
ironic, meant to be perceived by a Linux audience as wryly
On Mon, 16 Aug 2010 16:56:32 -0400
Bill Sconce wrote:
> (The intention is to quarantine a very-untrusted application,
> for example a program which runs Flash,
>[...]
> It all has to do with a talk I should do someday, and which has
> gotten a fresh kick from Eben Moglen's talk at LinuxCon..
On Tue, 17 Aug 2010 11:35:59 -0400
Benjamin Scott wrote:
> It sounds like what he really wants to do is sandbox an untrusted
> application.
>
> For example, if you don't trust Adobe Reader, you might want to deny
> all network I/O to it.
That's it.
[A virtual machine would also do the j
On 17 Aug 2010 08:43:35 -0400
kevin_d_cl...@comcast.net (Kevin D. Clark) wrote:
> Suggestion: suppose you have setup your system with a uid that is
> protected by some iptables rules (call this UNTRUSTED), and futhermore
> also suppose that the binary that you really want to protect against
> is c
Benjamin Scott writes:
> On Tue, Aug 17, 2010 at 8:43 AM, Kevin D. Clark
> > Well, then, you might want to consider replacing every occurence of
> > the DOCREADER binary on your system's disk with a script that
> > basically does this:
> >
> > #!/bin/sh
> > exec sudo -u UNTRUSTED DOCREADER-ori
On Tue, Aug 17, 2010 at 8:43 AM, Kevin D. Clark
wrote:
> Well, then, you might want to consider replacing every occurence of
> the DOCREADER binary on your system's disk with a script that
> basically does this:
>
> #!/bin/sh
> exec sudo -u UNTRUSTED DOCREADER-original "$...@}"
Just occurred
On Tue, Aug 17, 2010 at 11:26 AM, Tom Buskey wrote:
> Do other users need to be on the same system w/o restrictions?
It sounds like what he really wants to do is sandbox an untrusted application.
For example, if you don't trust Adobe Reader, you might want to deny
all network I/O to it.
--
Do other users need to be on the same system w/o restrictions?
If not, I'd create a VM (or physical system if you have $$) with its
own firewall and only that user. Block everything in/out except
what's needed. Run only that app in there. If some sites are
allowed, add a proxy to restrict that.
Suggestion: suppose you have setup your system with a uid that is
protected by some iptables rules (call this UNTRUSTED), and futhermore
also suppose that the binary that you really want to protect against
is called "DOCREADER".
Well, then, you might want to consider replacing every occurence o
On Tue, Aug 17, 2010 at 1:02 AM, Greg Rundlett (freephile)
wrote:
> I just want to add for those who may be interested in iptables, but not
> wanting to get into the intricacies, you can try "firestarter" [1] or it's
> successor gui app called "ufw" [2] (in Ubuntu)
> [1] http://www.fs-security.com
On Mon, Aug 16, 2010 at 11:24 PM, Bill Sconce wrote:
>
>
> I'll give iptables a try. It's at just the right level of brute-
> forceness, and of Linuxness.
>
> I love this list.
>
>
disclaimer: I'm jumping into this thread late, and without reading the whole
thing, so this comment may not be relate
On Mon, 16 Aug 2010 16:56:32 -0400
Bill Sconce wrote:
> Does anyone know of a way to prevent a Linux account from accessing
> the Internet?
Wow. Excellent. It looks like iptables may be the ticket. (If my
${very_untrusted_user_UID} is prevented from sending packets out
that does exactly the job
> smart enough to look at who owns the associated socket, it should
> work. Packets don't have owners, true, but a packet without a
> socket is rather like the sound of one hand clapping...
Yah, I had just been imagining the packet in the abstract, in flight,
where such info isn't available. B
On Mon, Aug 16, 2010 at 7:01 PM, Thomas Charron wrote:
> Internally, packets do have owners. Specifically, the application.
Well, as MOD points out, packets being *received* don't have obvious
owners. Or applications. They couldn't, until fairly late in the
network decision flow chart -- af
On Mon, Aug 16, 2010 at 6:47 PM, Benjamin Scott wrote:
> On Mon, Aug 16, 2010 at 6:30 PM, Michael ODonnell
> wrote:
>> There's no notion of UID associated with
>> an IP packet so once it's in transit it's not straightforward
>> to know who "owns" it ...
>
> I've never looked into this, so I don'
On Mon, Aug 16, 2010 at 6:30 PM, Michael ODonnell
wrote:
> There's no notion of UID associated with
> an IP packet so once it's in transit it's not straightforward
> to know who "owns" it ...
I've never looked into this, so I don't know if/how it works, but if
NetFilter is smart enough to look
Interesting question. There's no notion of UID associated with
an IP packet so once it's in transit it's not straightforward
to know who "owns" it, unless maybe the network code happens
to be executing (synchronously) on behalf of the restricted
user (outbound only?) or maybe if the packet can
On Aug 16, 2010, at 4:56 PM, Bill Sconce wrote:
> Does anyone know of a way to prevent a Linux account from accessing
> the Internet?
>
> E.g., setting a [per-user] gateway to nil, or setting permissions
> on some node along the path to eth0?
>
> It's acceptable to be crude, to prevent such an ac
Examples:
http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
On Mon, Aug 16, 2010 at 5:12 PM, Thomas Charron wrote:
> iptables can do it.
>
> One of the options is --uid-owner or even --gid-owner
>
> Thomas
--
-- Thomas
__
iptables can do it.
One of the options is --uid-owner or even --gid-owner
Thomas
On Mon, Aug 16, 2010 at 4:56 PM, Bill Sconce wrote:
> Does anyone know of a way to prevent a Linux account from accessing
> the Internet?
>
> E.g., setting a [per-user] gateway to nil, or setting permissions
On 16-Aug-2010, Bill Sconce sent:
> Does anyone know of a way to prevent a Linux account from accessing
> the Internet?
>
> E.g., setting a [per-user] gateway to nil, or setting permissions
> on some node along the path to eth0?
It appears that iptables has an 'owner' module that could be used t
Does anyone know of a way to prevent a Linux account from accessing
the Internet?
E.g., setting a [per-user] gateway to nil, or setting permissions
on some node along the path to eth0?
It's acceptable to be crude, to prevent such an account from
using any network services whatsoever.
I can see h
23 matches
Mail list logo