I've always wondered how to block sockets oon the system to some of the users. I mean it can be done by Bastille scripts, but I wonder is there any other way?

//----
I want something like this:

I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?


open socket: Operation not permitted
That's not very interesting IMHO, it's just a printf string. What's interesting is what causes it and if it can't be subverted.


is there any other way?
There's some ways, some more crude / elaborate than others:
- Iptables rules based on UID. Can't add "on demand" per-UID rules so it's crude IMO.
- Use 'lcap' to take away 'Linux capabilities' like CAP_NET_ADMIN or CAP_NET_BIND_SERVICE ("man capabilities"). Crude: no difference between root account and other users AFAIK :-] so breaks about everything.
- Dump user in a chroot and don't put network-capable apps (that includes Bash) in the chroot and don't allow users to compile, access or add network-capable applications.
- Use the GRSecurity kernel patch. Gain control over per-user tweaking knobs like who is allowed to use sockets, server sockets or client sockets and TPE (necessary for denying users to compile, access or add network-capable applications), can do finegrained access to apps (RBAC) and control 'Linux capabilities'.
- Use SELinux. More versatile compared and has steeper learning curve compared to GRSecurity. Deny users to transition to domain of network-capable applications. Could have some rules that affect networking using iptables but I'm not that far (yet).

To be honest that's what I am really asking in this thread. How the beatiful Bastille script is doing such things ?

To be honest that's what I am really asking in this thread.
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
With all due respect and all that.

Never seen such a feature on Bastille. You have the bastille-firewall but I don't think it plays with UID.

You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.

Yes you're right, I've made one mistake. Bastille can block it for all users, excluding only root...

Yeah, I know that as I said I wonder how Bastille did it...

My first question in the topic was: How to block sockets. Than I said that Bastille can do such a thing, so I meant that as a reason of using those scripts I have some of the sockets block... So I asked is there a way to block without using Bastille.

I am not a native english speaker so sometimes I have problems with saying what I really have on my mind.. So don't get too angry Still learning... so I will consider your suggestions and watch out when asking someone...

So don't get too angry
I apologise without reserve.

I choosed grsecurity patch... I have been using grsecurity anyway for some time, but I didn't spend too much time on configuring it in the kernel. Now I see that grsecurity can block a group with selected GID, or you can even choose to deny client or server sockets to some groups. This is enough for me.
Huge thanks !