> Grant <emailgr...@gmail.com> wrote: > >> That sounds good, how can I do that? > > iptables module "owner" handles that stuff, just "man iptables" if > you'll have any trouble. > > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j > REJECT > > Alternatively, you can use numeric uid or match user group: > > iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT > > As simple as that ;) > > If blocking every possible user is too much trouble or you wish to > block just firefox, but not wget to http port for _all_ users (not the > same case as emerge from root) you can write a simple SUID wrapper for > firefox binary, which changes group to restricted one (but leaves uid > and home unchanged), then launches true firefox binary, to which only > that group has access. > > -- > Mike Kazantsev // fraggod.net
Thanks Mike, that sounds like exactly what I should do. - Grant
