| Linode Forum https://forum.linode.com/ |
|
| Blocking or allowing a precise process https://forum.linode.com/viewtopic.php?f=19&t=3127 |
Page 1 of 1 |
| Author: | jvm [ Mon Feb 25, 2008 5:20 pm ] |
| Post subject: | Blocking or allowing a precise process |
Hello, I was thinking that it would be useful to be able to allow or deny network access to specific processes. In particular I would like to be able to define such rules through the process name. I thought that iptables could do that, but googling I discovered that the "cmd-owner" feature is long gone. Trying to use a rule like: Code: iptables -A OUTPUT -m owner --cmd-owner foo -j DROP gives only this result: Code: ipt_owner: pid, sid and command matching not supported anymore Unfortunately user id and group id don't give the granularity I could achieve with the name of the process. For example when a parent process starts children processes with the same uid and gid, but different names. So I would like to ask if anybody knows a way to block (or allow) network access only for specific processes, using their names as a discriminant. |
|
| Author: | SteveG [ Mon Feb 25, 2008 7:13 pm ] |
| Post subject: | |
SELInux? Probably more effort than you want to go to, though. |
|
| Author: | rhashimoto [ Mon Feb 25, 2008 9:00 pm ] |
| Post subject: | |
Can/are the processes in question be built against libwrap? |
|
| Author: | jvm [ Tue Feb 26, 2008 11:31 am ] |
| Post subject: | |
Thanks for your feedback. Unfortunately I'm trying to restrict precompiled binaries whose sources aren't available and indeed SELInux is too much for me to manage. Still I could obtain the desired result by starting the processes I want to restrict with sudo, using a system account created for this purpose, and then deploying iptables rules that match the user id. It surely isn't an elegant solution but still allows me to block processes easily. I should have thought about it earlier. However I hope the option to restrict processes by name will come back in the future since with my current solution I still can't block only the parent process or the children. Fortunately I don't need this behaviour anymore so I can cope with the current limitations. Thanks again for your suggestions, I'll keep them in mind if I bump again into similar issues. |
|
| Author: | jdlspeedy [ Tue Feb 26, 2008 3:07 pm ] |
| Post subject: | |
Quote: --pid-owner processid
Matches if the packet was created by a process with the given process id. --sid-owner sessionid Matches if the packet was created by a process in the given session group. --cmd-owner name Matches if the packet was created by a process with the given command name. (this option is present only if ipta- bles was compiled under a kernel supporting this feature) NOTE: pid, sid and command matching are broken on SMP Try it with --uid-owner (uid) |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|