If I wanted to prevent a particular application from accessing the network, how would I do it? I'm assuming that, although it can be achieved with iptables, attempting to prevent access at the firewall level is not the best way to do it. Would the best way be to run the program as a user who is denied access to the network?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
deny network access
- Thread starter mikeEd
- Start date
I found this while googling for some kind of info for your question. Looks interesting. I've bookmarked it for a rainy day 
--
JR
--
JR
- Thread starter
- #3
Yes, that sounds like some overkill if it's only one application. You could create a new group like "netuser" with:
Next:
Then:
That way only root and members of "netuser" group can run the application. To add memebers to "netuser", there's probably an easy way/front-end helper application in your distribution. I just use "vigr" and edit the group file using vi (just add the user name to the end of the line that starts with the group name). --
JR
Code:
groupadd netuser
Code:
chgrp netuser <your application binary>
Code:
chmod 550 <your application binary>JR
- Thread starter
- #5
There indeed is just that, but the first thing you asked and the last thing you asked are totally different.
just do the same thing to the NIC as you would the application, grant the eth0's driver access to only those who you want.... (after all everything is a file in Unix/Linux)
just do the same thing to the NIC as you would the application, grant the eth0's driver access to only those who you want.... (after all everything is a file in Unix/Linux)
- Thread starter
- #7
Do you mean the ethernet device under /dev, which doesn't exist?
As far as I can see that's exactly what I asked in the first place; i.e. how can I deny network access to a single user, and thus deny network access to a specific application by running it in the context of that user?
Or is there any other way to achieve what I originally asked about? I'm open to suggestions.
As far as I can see that's exactly what I asked in the first place; i.e. how can I deny network access to a single user, and thus deny network access to a specific application by running it in the context of that user?
Or is there any other way to achieve what I originally asked about? I'm open to suggestions.
The first time you asked about keeping an application from the net, not user... I wonder why it's not there, I just looked and it's not there on my system either, which is odd because before the upgrade it was there... hmmm.. you could make it root only fairly easily by not having not active at boot, and then not allowing other users to activate it.
- Thread starter
- #9
Well I actually asked:
"Would the best way be to run the program as a user who is denied access to the network?"
Thus if I could deny network access for a user, I could deny it for a program. Unfortunately your suggestion, therefore, isn't feasible if I want to keep the connection up but restrict who can use it.
I'm amazed that there seems to be no easy answer to this question.
"Would the best way be to run the program as a user who is denied access to the network?"
Thus if I could deny network access for a user, I could deny it for a program. Unfortunately your suggestion, therefore, isn't feasible if I want to keep the connection up but restrict who can use it.
I'm amazed that there seems to be no easy answer to this question.
- Status
Similar threads
- Locked
- Question