I have a multi-user box on which I wish to restrict internet access for certain users (teenagers). I am running 8.2 with internet connection through eth0, always connected. I think this relates to groups and possibly user ID numbers, but am unsure how to proceed. Any ideas? Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a
On Tuesday 27 May 2003 19:18, Ed Harrison wrote:
I have a multi-user box on which I wish to restrict internet access for certain users (teenagers).
What do you mean by "restrict"? Block all access? Just some sites? Email? News? IM? -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
** Reply to message from Derek Fountain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ed Harrison wrote:
| ** Reply to message from Derek Fountain
** Reply to message from Joe Dufresne
Why don't you just run some sort of script in their
profile which would shutdown eth0 for them, you can go
even further to be safe and remove the appropriate
module :).
my 2 cent
Martin
--- Ed Harrison
** Reply to message from Joe Dufresne
on Tue, 27 May 2003 18:40:59 -0700 # just make a group (like dialout) and only include as members those # people allowed to dial out. # # Joe
I have a ADSL connection that is "always on". I want to restrict the boys from internet access without having to carry the modem to work with me.
What devices, files, etc. do I need to give to the group to prevent the connection outbound?
Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
__________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
I have a ADSL connection that is "always on". I want to restrict the boys from internet access without having to carry the modem to work with me.
Take the cable then. :o)
What devices, files, etc. do I need to give to the group to prevent the connection outbound?
You can't, I don't think. The ethernet connection doesn't work as a file, so there's nothing to restrict permissions on. If your boys know the root password, you're stuffed. If not, you have a few options, depending on how savvy they are. Your best bet is to set up a firewall, preferably, but not necessarily on another machine. That gives you maximum flexibility for controlling what goes in and out at what time. If total disconnection is the goal, set a cron job to take down the appropriate ethernet connection during your work hours. If just disconnecting from web sites would suffice, and the boys don't know too much, set up wwwoffle as a local proxy. That allows (IIRC) you to control which users can access the web service. Of course, if the boys know how to change the web browser's proxy, that won't work unless you use some iptables to force outbound web connections to go through it transparently. I can't think of anything else, but I might have missed something obvious! -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
I shut down my always-on ASDL connection regularly. To close down a specific interface such as eth0, run /sbin/ifdown eth0 and to bring it up again run /sbin/ifup eth0 Both need to be done as root. It is best to use sudo to run them. Sudo allows a specific user to run certain defined ( in /etc/sudoers ) scripts or programs as root ( or any other defined user ). For details read the man pages sudo and sudoers. I further alias the commands to 'netdown' and 'netup' in my $HOME/.bashrc file alias netup='sudo /sbin/ifup eth0' alias netdown='sudo /sbin/ifdown eth0' Hope this helps Basil Fowler
How about this!!! What about changing file permissions on all browser, mail, IRC, and FTP applications??? Definitely remove all of these types of applications from their /home/'sillyteenager' directories first, then secure the main applications by ensuring correct file permissions are set. Take a look at KDE Control Panel > Yast2 Modules > Security & Users > Security Settings as an option. The paranoid setting lets you (root) control user access to all X applications. Or do it manually with all applications that could access information from the internet. Also, make sure you have access to their desktops, by knowing their passwords or setting them up with password-less logins. This way you can see if they are using pictures of nude women as their desktop #5 backgrounds, or have the complete text of 'The Anarchists Cookbook' in their Documents directory ;-) (Don't laugh too loud) Or, just take a look at their /home directories from time to time, to see if their trying to circumvent anything. Also, you may want to change your root password on a regular basis. Just some random wanderings from the scrambled mind of the father of a teenage boy. Good Luck! Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea." Antoine de St. Exupery
On Wednesday 28 May 2003 17:39, Bernd wrote:
How about this!!!
Those ideas could work. I've come up with a couple more: The SuSE kernel (which I don't use, so I can't be sure, but...) seems to be compiled with the experimental CONFIG_IP_NF_MATCH_OWNER set, which means iptables might be able to do what's required. From the man page: owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. --uid-owner userid Matches if the packet was created by a process with the given effective user id. so for example you could do: iptables -A OUTPUT -m owner --uid-owner 1000 -j ACCEPT to allow outgoing traffic created by the user with userid 1000 Well, maybe. I've never tried anything like that. Also, maybe SOCKS can do it? I've never used a SOCKS server except as a client, but I think authentication is one of its tricks: http://www.socks.permeo.com/AboutSOCKS/SOCKSOverview.asp -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
How about this!!! What about changing file permissions on all browser, mail, IRC, and FTP applications??? Definitely remove all of these types of applications from their /home/'sillyteenager' directories first, then secure the main applications by ensuring correct file permissions are set. Take a look at KDE Control Panel > Yast2 Modules > Security & Users > Security Settings as an option. The paranoid setting lets you (root) control user access to all X applications. Or do it manually with all applications that could access information from the internet. Also, make sure you have access to their desktops, by knowing their passwords or setting them up with password-less logins. This way you can see if they are using pictures of nude women as their desktop #5 backgrounds, or have the complete text of 'The Anarchists Cookbook' in their Documents directory ;-) (Don't laugh too loud) Or, just take a look at their /home directories from time to time, to see if their trying to circumvent anything. Also, you may want to change your root password on a regular basis. Just some random wanderings from the scrambled mind of the father of a teenage boy. Good Luck! Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea." Antoine de St. Exupery
** Reply to message from Basil Fowler
On Wednesday 28 May 2003 4:38 am, Derek Fountain wrote:
Your best bet is to set up a firewall, preferably, but not necessarily on another machine. That gives you maximum flexibility for controlling what goes in and out at what time. What about setting up a proxy? Then you could effectively disable their access to the .net just by revoking proxy-permissions? I haven't done this myself, but thought it might be a way forward :)
Derek Fountain wrote:
I have a ADSL connection that is "always on". I want to restrict the boys from internet access without having to carry the modem to work with me.
Take the cable then. :o)
[snip] I have a client who was having this problem with his two teenage social misfits. :) What I finally did, was to remove them to another group, where they had NO access to any installed browser. They have NO access to the Net, except for email. 'Course, any junk mail for a prono. site is a "bust" because they don't have access to a browser. The father had warned them about doing this a day before he asked me to "fix" the box. I had assured the boys that I could see to it that they no longer had access. They just smiled, and thought they'd find a way around the changes. It's a LOT easier to block access on a Linux box than on 'Bloze. Fred -- Fred A. Miller Systems Administrator Cornell Univ. Press Services fm@cupserv.org, www.cupserv.org
On May 28, 2003 04:38 pm, Fred A. Miller wrote:
The father had warned them about doing this a day before he asked me to "fix" the box. I had assured the boys that I could see to it that they no longer had access. They just smiled, and thought they'd find a way around the changes. It's a LOT easier to block access on a Linux box than on 'Bloze.
Kids today. In my day I would have just installed whatever I wanted when you left-))))) Nick
On Wednesday 28 May 2003 13:56, Nick Zentena wrote:
On May 28, 2003 04:38 pm, Fred A. Miller wrote:
The father had warned them about doing this a day before he asked me to "fix" the box. I had assured the boys that I could see to it that they no longer had access. They just smiled, and thought they'd find a way around the changes. It's a LOT easier to block access on a Linux box than on 'Bloze.
Kids today. In my day I would have just installed whatever I wanted when you left-)))))
Nick
No way to install without root access. No way to download without a browser or ftp. Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea." Antoine de St. Exupery
* Bernd (bernd@covenantmail.net) [030528 14:05]:
No way to install without root access. No way to download without a browser
Of course you can. There's nothing stopping you from installing whatever you want into your home directory. Even if you block all outgoing traffic as long as they have physical access to the machine they can change the root password. -- -ckm
Another point, Yo should protect Lilo with a password, otherwise you can boot into single user mode and then change the root password Basil Fowler Oh what a web you have to weave When you start to deceive! On Wednesday 28 May 2003 21:25, Christopher Mahmood wrote:
* Bernd (bernd@covenantmail.net) [030528 14:05]:
No way to install without root access. No way to download without a browser
Of course you can. There's nothing stopping you from installing whatever you want into your home directory. Even if you block all outgoing traffic as long as they have physical access to the machine they can change the root password.
--
-ckm
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thursday 29 May 2003 08.36, Basil Fowler wrote:
Another point,
Yo should protect Lilo with a password, otherwise you can boot into single user mode and then change the root password
If you can boot the machine at all, then you almost have to have physical access, and then all security is completely out the window.
Oh what a web you have to weave When you start to deceive!
I thought it was Oh what a tangled web we weave when first we practice to deceive
Yes - you are right, I was too lazy to check the original couplet! According to the Oxford Dictionary of Quotations, it is in Marmion, by Sir Walter Scott, canto 6, stanza 17. Basil Fowler
Oh what a web you have to weave When you start to deceive!
I thought it was
Oh what a tangled web we weave when first we practice to deceive
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* Anders Johansson
On Thursday 29 May 2003 08.36, Basil Fowler wrote:
Another point,
Yo should protect Lilo with a password, otherwise you can boot into single user mode and then change the root password
If you can boot the machine at all, then you almost have to have physical access, and then all security is completely out the window.
Oh what a web you have to weave When you start to deceive!
I thought it was
Oh what a tangled web we weave when first we practice to deceive
One bright day in the middle of the night Two dead boys got up to fight Back to back they faced each other Drew their swords and shot each other A deaf policeman heard the noise He came and killed those two dead boys One bright day in the middle of the night As I was walkin' up the stair I saw a man who wasn't there He wasn't there again today Oh how I wish he'd go away (What the Blind Man Saw) -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
No way to install without root access. No way to download without a browser or ftp.
I am not so certain. What is to stop them getting a browser on a CDROM from a friend and installing it in their $HOME/bin directories? Inelegant to be sure, but it should work. If the $HOME directories are on a separate partition, it should be be possible to set the /etc/fstab options of the relevant line to 'noexec', which prevents any program located on that partition from being executable. Just my tuppence. Basil Fowler
Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea."
Antoine de St. Exupery
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
** Reply to message from "Fred A. Miller"
* Ed Harrison (ed.tman@verizon.net) [030528 14:48]:
I realize that the name of the new group does not matter. But how did you "move" them, and how did you restrict that group to NO access to any installed browser?
Make the brower executable (or script) mode 750, change its group to foo, and add users who can use it to group foo. -- -ckm
** Reply to message from Christopher Mahmood
* Ed Harrison (ed.tman@verizon.net) [030528 15:18]:
# Make the brower executable (or script) mode 750, change its group # to foo, and add users who can use it to group foo.
Won't setting Konqueror to "foo" mess up a lot of stuff in KDE and SuSE?
Well, konqueror won't work if you aren't in the foo group. If you don't use kde that's not really a problem. A better solution is to force all traffic to port 80 and 443 through a proxy that the user has to authenticate to in order to use. Of course, the kids can always just find an open proxy somewhere that they can use to bypass this restriction as well. Once they get that sophisticated they'd probably figure out that they can just boot with 'init=/bin/sh' in order to change root's passwd (and the restrictions) or boot from something like the live eval cd. -- -ckm
** Reply to message from Christopher Mahmood
For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?
Well that one's easy - set the .bashrc files to be owned by root and ensure they aren't other-writable. -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
On Thursday 29 May 2003 04:00, Derek Fountain wrote:
For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?
It does not matter if the .bashrc file is editable. The alias in the .bashrc file is just for convenience. The .bashrc file concerned is the one in YOUR private $HOME directory, which should be readable only by yourself. The point of sudo is to give a specified ordinary user limited rights to execute a specific program that requires root access. The rights are set out in the /etc/sudoers file, which should be readable only by root, The rights are NOT in the .bashrc file. sudo normally requires the authorised user to enter his/her personal password before the program is run. So if you keep your personal and root password to yourself, others will not be able to run the ifdown or ifup commands. Hope this helps Basil Fowler
Well that one's easy - set the .bashrc files to be owned by root and ensure they aren't other-writable.
-- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thursday 29 May 2003 04.53, Ed Harrison wrote:
In cmos, I have disabled booting from cd and floppy.
With physical access to the machine, this isn't a problem. Simply open the box and remove the CMOS battery for a number of minutes so the motherboard resets to factory defaults. On most motherboards there is also a jumper you can short circuit to reset to factory defaults. You could use encrypted partitions, but the kids could still surf while running the live CD, or something else, like knoppix.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Johansson wrote: | On Thursday 29 May 2003 04.53, Ed Harrison wrote: | |>In cmos, I have disabled booting from cd and floppy. | | | With physical access to the machine, this isn't a problem. Simply open the box | and remove the CMOS battery for a number of minutes so the motherboard resets | to factory defaults. | physically remove the CD drives and floppy. use hot glue to fill the floppy/ide ports on the board un used, and get a cable for the HD with only one output. not impossible to bypass, but would take more work Joe - -- SuSE Linux 8.1 (i386) Kernal: 2.4.19-4GB / i686 | Posted from: Miverna ~ 6:44pm up 3 days, 1:17, 8 users, load average: 0.03, 0.13, 0.15 nqs@tmcom.com | http://tigger.tmcom.com/~nqs/blogger.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+1rhaoS1S7SxfpzwRApsmAJ9Fpx3/SNYAESxrEWL+U7u6NVB55wCgiuP/ sJu2ZxpqAsZQH/gg4NyOuXc= =yPyN -----END PGP SIGNATURE-----
* Ed Harrison (ed.tman@verizon.net) [030528 19:49]:
In cmos, I have disabled booting from cd and floppy.
What happens when you cycle the power by unplugging the battery on the motherboard?
I don't know anything about proxies, except I use privoxy on my machine. What kind of proxy are you referring to?
It could be any sort of open http proxy. If spammers can find them there's no reason the kids couldn't.
For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?
You can always chown the .bashrc files to root.root. Of course, it's probably much easier to just go to a friend's house and use their computer. -- -ckm
** Reply to message from Christopher Mahmood
* Ed Harrison (ed.tman@verizon.net) [030529 13:01]:
# it's probably much easier to just go to a friend's house and use # their computer.
Say, you're not a teenager, are you? :-)
Actually, I'm wrong there so maybe. Anders pointed out that since the directory is owned by the user chowning the file to root doesn't help since the name is controlled by the directory inode. In other words, mv .bashrc foo vi .bashrc will work. -- -ckm
On Wed, 2003-05-28 at 21:53, Ed Harrison wrote:
** Reply to message from Christopher Mahmood
on Wed, 28 May 2003 16:04:54 -0700 # A better solution is to force all traffic to port 80 and 443 through # a proxy that the user has to authenticate to in order to use. Of # course, the kids can always just find an open proxy somewhere that # they can use to bypass this restriction as well. Once they get that # sophisticated they'd probably figure out that they can just boot # with 'init=/bin/sh' in order to change root's passwd (and the # restrictions) or boot from something like the live eval cd.
In cmos, I have disabled booting from cd and floppy.
In grub, the command line is md5 password protected. Default linux is the only choice they have.
Grub is in the mbr and dual-boot to their mom's win98 is also md5 password protected.
Wow. You've done some hard work here. If you trust the lock on the case, you should be alright.
For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?
This is the problem with locking down users that are *supposed* to be on the local machine. There are an infinite number of problems here. I've seen a lot of tiresome posts about chmod'ing the executable bits of networkable programs, when the point is that it's very easy to wget a new copy of Mozilla and stuff it in your home directory. I think you're wasting your time here.
I don't know anything about proxies, except I use privoxy on my machine. What kind of proxy are you referring to?
You're on the right track here. I would recommend that you get a second computer and make it a proxying firewall. This other computer can just be an el cheapo P100 castoff or something. (Mine's a 200, and it's great.) The point is that you must combine a proxy with a firewall. I don't see how you could do this on your workstation alone, but I've not thought about it real hard. Plus, if this war of privileges esacalates, and the kids get into it, they could root the workstation. (From what I read, it's not that hard, but the process is _greatly_ facilitated if you have a local login. On a separate firewall, you could keep this advantage out of their hands.) What you need to do on the firewall is to NOT forward packets. In your firewall rules, you only let the proxy get out to the net from the firewall itself. Setup your proxy for authentication, and don't give the kids credentials. Then they just _won't_ get to the internet, for any kind of communication. If you want them to have email, you can open that up for them, or just collect their mail on the firewall (ala fetchmail), and let them pick it up there. By now, it's starting to become clear that this is an exercise, not in technology, but psychology. I'm guessing these kids need some sort of office program? for school? Else -- once you've "cut the cord" -- why bother with a computer these days? It's a Linux computer, so it's _probably_ not for games. The bottom line is that it'd be a whole lot easier to spend $500 on a new Dell, set it in the corner without access, let them have at it, and revoke the rights to the computer that's connected. (Then I guess they could open the box, put in a network card, and take your cable while you're gone. Oh well, back to square one.) As someone else pointed out, there's no lack of opportunity to go to a friend's house and do whatever they want. Shoot, the American Library Association campaigns hard every year to keep the computers at the library completely wide open to every piece of garbage on the net. All the free porn you want at the library! Woohoo! HTH, dk -- David "Dunkirk" Krider, http://www.davidkrider.com Acts 17:28, "For in Him we live, and move, and have our being." Linux: Will you use the power for good... or for AWESOME?
** Reply to message from David Krider
participants (13)
-
Anders Johansson
-
Basil Fowler
-
Bernd
-
Christopher Mahmood
-
David Krider
-
Derek Fountain
-
Ed Harrison
-
Fred A. Miller
-
Joe Dufresne
-
Martin
-
Nick Zentena
-
Patrick Shanahan
-
The Purple Tiger