How to deny a user access to the Internet?

How to deny a user access to the Internet?

Post by Fernando Piaz » Fri, 14 Mar 1997 04:00:00



 Can I deny a user access to the Internet?

 The user will be able to log in my Linux box, but must not have access to
the outside Internet.

 I use a direct ppp connection to my ISP.
 Is this simple or very complex?

Thanks.

 
 
 

How to deny a user access to the Internet?

Post by Chri » Sun, 16 Mar 1997 04:00:00



>  Can I deny a user access to the Internet?

>  The user will be able to log in my Linux box, but must not have access to
> the outside Internet.

>  I use a direct ppp connection to my ISP.
>  Is this simple or very complex?

> Thanks.

Should be fairly easy.  Anyone you want to be able to use the internet,
put in one group ('special') and leave everyone else as group 'users' or
whatever.

Then change the perms on the Internet programs (telnet,
ftp, rlogin, etc) so that they're owner and group
executable, but not other user executable (750 I think) and
do chgrp on the Internet commands you want to block so that
they're in group 'special' or whatever...

Um, email with questions if you need.

--
                                   ....... The free UNIX operating
system
Chris Harshman                      `:::'                  .......
......
XCC System Administrator             :::  *                  `::.    ::'

http://paradigm.uor.edu/harshman     :::  ::   ::  ::  ::  ::    :::.
909.307.7692                         ::: .::. .::  ::.  `::::. .:'  ::.
                                   ..:::.....................::'  
.::::.
    "Linux - the OS people choose without $200,000,000 in persuasion."
  UNIX is user-friendly.  It's just selective about who its friends are.

 
 
 

How to deny a user access to the Internet?

Post by Paul Dwerryhou » Tue, 18 Mar 1997 04:00:00




>>  Can I deny a user access to the Internet?

>>  The user will be able to log in my Linux box, but must not have access to
>> the outside Internet.
>Should be fairly easy.  Anyone you want to be able to use the internet,
>put in one group ('special') and leave everyone else as group 'users' or
>whatever.
>Then change the perms on the Internet programs (telnet,
>ftp, rlogin, etc) so that they're owner and group
>executable, but not other user executable (750 I think) and
>do chgrp on the Internet commands you want to block so that
>they're in group 'special' or whatever...

This won't necessarily work - there is nothing stopping the user from getting
their own versions of telnet, ftp, etc and compiling them up in their
accounts (or even just dropping a precompiled binary in there).

-rwxr-xr-x   1 root     bin         66525 Dec  6  1995 /bin/telnet*

Since telnet does not need to be suid root to work, users own compiled
versions would work, too.

To truly block the box off from the Internet, the ISP would need to put
packet filters on its router, saying just where the box is allowed to access
and where it isn't. Very easy to do if the router is a Cisco, probably also
easy if it's a Linux box routing, but I've never played with Linux packet
filtering.

Of course, this has the disadvantage that the whole machine is blocked off
from the net, not just on a user by user basis. Better have a administrator
only machine on hand, too ;)

Cheers,

Paul.

--

"The growing use of e-mail, not to mention Web-page publishing, threatens to
reverse the trend towards illiteracy among the supposedly educated without at
the same time improving their spelling". -- Michael Swaine, Dr. Dobb's Journal

 
 
 

How to deny a user access to the Internet?

Post by B.A.McCau.. » Wed, 19 Mar 1997 04:00:00



> Can I deny a user access to the Internet?

No.

Quote:> The user will be able to log in my Linux box, but must not have access to
>the outside Internet.

If they can do normal things (like execute programs they have written)
then they can access the Internet.  If you confine them to a
restricted shell (or a menu) then you may be able to control what they
can do.

--

 .  _\\__[oo       from       | Phones: +44 121 471 3789 (home)

.  l___\\    /~~) /~~[  /   [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
 # ll  l\\  ~~~~ ~   ~ ~    ~ | http://wcl-l.bham.ac.uk/~bam/

 
 
 

How to deny a user access to the Internet?

Post by John Den » Wed, 19 Mar 1997 04:00:00




> > Can I deny a user access to the Internet?

> No.

Hold on, couldn't the `noexec' option of mount(8) be used to mount
(say) /tmp and /home -o noexec? That would have the effect of
disallowing `drop in' replacements to work.

Perhaps chroot would work... that would run with the problem of
keeping two separate root filesystems up to date though.

denty.

 
 
 

How to deny a user access to the Internet?

Post by Colin Beckman » Wed, 19 Mar 1997 04:00:00


Since I upgraded to the 2.0.x kernel PPP does not setup my default route
when a connection is made.  I am using the following command.

exec "/usr/sbin/pppd defaultroute noipdefault lock crtscts  
         mru 296 mtu 296  /dev/ttyS1  38400"

netstat -nr gives me

Kernel routing table
Destination Gateway Genmask         Flags Metric Ref Use    Iface
192.1.6.235 0.0.0.0 255.255.255.255 UH    0      0        0 ppp0
192.1.5.0   0.0.0.0 255.255.255.0   U     0      0        0 eth0
127.0.0.0   0.0.0.0 255.0.0.0       U     0      0        1 lo
0.0.0.0     0.0.0.0 0.0.0.0         U     1      0        0 eth0

Am I doing something wrong, this is the same command I used in
earlier versions.

Suggestions are welcome,

Thanks

--
Colin Beckmann


 
 
 

How to deny a user access to the Internet?

Post by B.A.McCau.. » Thu, 27 Mar 1997 04:00:00



>exec "/usr/sbin/pppd defaultroute noipdefault lock crtscts  
>         mru 296 mtu 296  /dev/ttyS1  38400"

>netstat -nr gives me

>Kernel routing table
>Destination Gateway Genmask         Flags Metric Ref Use    Iface
>192.1.6.235 0.0.0.0 255.255.255.255 UH    0      0        0 ppp0
>192.1.5.0   0.0.0.0 255.255.255.0   U     0      0        0 eth0
>127.0.0.0   0.0.0.0 255.0.0.0       U     0      0        1 lo
>0.0.0.0     0.0.0.0 0.0.0.0         U     1      0        0 eth0

>Am I doing something wrong, this is the same command I used in
>earlier versions.

You evidently have a bogus "route add default" in you startup scripts
that states that your ethernet *is* the entire Internet.  Remove it.

BTW: Has 192.1.x.x been officially been allocated to you by InterNIC?
If not then you should not use it!  See RFC1597 (or the HOWTOs) for
addresses to use.

--

 .  _\\__[oo       from       | Phones: +44 121 471 3789 (home)

.  l___\\    /~~) /~~[  /   [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
 # ll  l\\  ~~~~ ~   ~ ~    ~ | http://wcl-l.bham.ac.uk/~bam/