LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-24-2012, 04:48 AM   #1
steampunk
LQ Newbie
 
Registered: Jan 2012
Posts: 11

Rep: Reputation: Disabled
Networking Lockdown For Specific Process


I would like to lock down specific executables from being able to use networking: bluetooth, wireless, ethernet, etc.

I've downloaded untrusted Linux apps (that I like). I'd just like to be precautionary because I don't have the time to read all the source code.

Is there anyway to sand box these apps, while still using them?

I.e., is it possible to change permissions so a specific app can't use networking or any process it spawns?
 
Old 01-24-2012, 11:45 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quickest and most efficient way IMHO would be to run it as a virtualization guest.
 
Old 01-24-2012, 12:07 PM   #3
steampunk
LQ Newbie
 
Registered: Jan 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Quickest and most efficient way IMHO would be to run it as a virtualization guest.
Ok, so create a specific user account with no networking privileges. Do you know if it is possible to execute a program as this virtual guest, but be signed in as another user? Sort of like sudo, but guest-do? (You know, skip all the logging out and in, just lock the permission around the exe)
 
Old 01-24-2012, 12:11 PM   #4
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
Eventually, you could check what the apps do network wise by using iptables, block and log all connections attempts, then setup iptables rules accordingly. Tedious somewhat, but instructive
 
Old 01-24-2012, 05:34 PM   #5
steampunk
LQ Newbie
 
Registered: Jan 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Cedrik,

Do you know of a how-to that could walk me through the process getting the logs set up for each app?
 
Old 01-24-2012, 06:10 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by steampunk View Post
Ok, so create a specific user account with no networking privileges.
That's what you make of it. I didn't say that. Using a regular user account without networking privileges on the host exposes the host to everything the untrusted application will throw at it. Running untrusted applications in virtualization adds a layer of complexity (as you have to configure private subnet networking, install an OS inside the guest, harden it properly, add tracing if required) but shields the virtualization host from most the untrusted application may throw at it.
 
Old 01-24-2012, 06:53 PM   #7
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
Quote:
Originally Posted by steampunk View Post
Cedrik,

Do you know of a how-to that could walk me through the process getting the logs set up for each app?
I was thinking of general blocking rules, eg during the time you run the app and check the log, then flush the rules when you finish testing

something like (assuming you connect to the net with eth0 interface):
Code:
iptables -A OUTPUT -o eth0 -j LOG --log-prefix 'Packet Dropped: '
iptables -A OUTPUT -o eth0 -j DROP
On a terminal check log:
Code:
tail -f /var/log/syslog
Then you run iptables -F when you're finished after quitting the app, to flush/remove the rules and be able to connect to network again

edit, if you run behind a router/gateway, better to add accept connection for the gateway/router IP

Code:
iptables -A OUTPUT -o eth0 -d <Gateway IP> -j ACCEPT
iptables -A OUTPUT -o eth0 -j LOG --log-prefix 'Packet Dropped: '
iptables -A OUTPUT -o eth0 -j DROP

Last edited by Cedrik; 01-24-2012 at 07:01 PM.
 
Old 01-24-2012, 07:05 PM   #8
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Another thing to explore would be SELinux; but you may find the time you'll need to invest
prohibitive for that particular approach. I like Unspawns suggestion of virtualising a box
and locking it off.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Killing a Specific Process the_satsuma_man Programming 4 03-11-2009 10:42 PM
kill specific process fj8283888 Linux - General 6 05-31-2007 07:28 AM
get info about a specific process hfawzy Programming 4 01-31-2007 02:11 PM


All times are GMT -5. The time now is 08:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration