Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jan 2003 00:06:07 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Question
Message-ID:  <20030113000607.GB2155@happy-idiot-talk.infracaninophi>
In-Reply-To: <00ec01c2ba91$92495960$0201a8c0@slipstream.datasyrge.net>
References:  <00ec01c2ba91$92495960$0201a8c0@slipstream.datasyrge.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 12, 2003 at 06:23:09PM -0500, Steve Winnacott wrote:
=20
> Based on group membership, allow or deny certain users access to certain
> outgoing services (www, telnet, ftp, ssh, ping, traceroute, etc). Again t=
his
> is not IP based, but based on group membership. Everyone can log into any=
 PC
> on the LAN. I've seen something like this done in Novell, where based on a
> users group context, their access is limited to certain services.

=46rom the ipfw(8) man page:

   RULE OPTIONS (MATCH PATTERNS)
     Additional match patterns can be used within rules. Zero or more of th=
ese
     so-called options can be present in a rule, optionally prefixed by the
     not operand, and possibly grouped into or-blocks.

     The following match patterns can be used (listed in alphabetical order=
):

     [...]

     gid group
             Matches all TCP or UDP packets sent by or received for a group.
             A group may be specified by name or number.

which sounds like a way of implementing what you want.  Section 10.7
of the handbook covers setting up ipfw(8):
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html.
If you need help generating a ruleset for ipfw(8), search the archives
of this list for innumerable examples or ask again here.  Note that
this may not work entirely the way you expect as it's not possible in
all cases for the network stack to know what the gid of the local
*user* that causes the packets to be generated is, just the
sending/receiving process.

Another approach is to modify the ownership+permissions of the
binaries on the system --- this isn't fool proof by any means. A
reasonably quick witted user can just grab their own copy of the
binary from some other system, and use that. It will, at least, make
your intentions clear.  E.g. to limit telnet(1) to a particular group
of users, try:

    # pw group add -n tlntusrs -M john,paul,george,ringo
    # chgrp tlntusrs /usr/bin/telnet
    # chmod 750 /usr/bin/telnet

Keep a script handy to regenerate the mode and group ownership changes
as if you ever do a {build,install}world your modifications will get
blown away.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113000607.GB2155>