Restricting 1 User's internet use

IndyGunFreak · 09-11-2008, 07:09 PM

I'm thinking there has to be an easy way to do this, and I'm just missing this...

I have 1 PC, 3 Accounts. I want 2 of the accounts to have internet access, and the other to not be able to access the internet. I've unchecked every single box under "user privleges" for that user in User/Groups, and that user can still get on the Internet..

Suggestions please..

IGF

IndyGunFreak · 09-11-2008, 07:49 PM

Hmm, well there should be a more foolproof way to do this, but fortunately, the user I have to restrict won't have a clue. I disabled networking via nm-applet, then went to sessions, and for that user, set nm-applet to not load at startup.... Before, nm-applet would still load, and she could have just clicked "Enable" or connect to internet, or whatever, and gotten online. Now if she figures out to start nm-applet.. I'll have to figure something else out...

Seems like there would be a group for http access, but if there is, I completely missed it.

Still open to better suggestions if anyone has it, but for now, I've resolved it.

IGF

jschiwal · 09-11-2008, 09:14 PM

Most access controls are for controlling input bound access, such as access to a service, or when you can login, or who can use samba or ssh.

There is an iptables module that can match the owner of a process. This would allow you to block off ports or an interface in the OUTPUT chain for a particular user.

You may also be able to add a policykit rule that matches a particular user. However, I don't know what action would match. ( Note to self: Find a good book on policy kit ).

Take a peek at the iptables info file:

Code:

   owner
       This module attempts to match various  characteristics  of  the  packet
       creator, for locally-generated packets.  It is only valid in the OUTPUT
       chain, and even this some packets (such as  ICMP  ping  responses)  may
       have no owner, and hence never match.

       --uid-owner userid
              Matches  if  the  packet was created by a process with the given
              effective user id.

       --gid-owner groupid
              Matches if the packet was created by a process  with  the  given
              effective group id.

       --pid-owner processid
              Matches  if  the  packet was created by a process with the given
              process id.

       --sid-owner sessionid
              Matches if the packet was created by a process in the given ses-
              sion group.

       --cmd-owner name
              Matches  if  the  packet was created by a process with the given
              command name.  (this option is present only if iptables was com-

I believe that a previous post on this site had an example where if a certain user makes a dns query, the destination address would be changed to an opendns server. This would allow enforcing family controls, for example.

---

I think that the http owner & group is a system owner/group that the apache web server uses instead of running as root. I don't think you want to add real users to the http group.