View previous topic :: View next topic |
Author |
Message |
Lars Apprentice
Joined: 06 Feb 2003 Posts: 171 Location: Germany, near baltic sea
|
Posted: Fri Nov 24, 2017 9:26 am Post subject: How to create an offline user? |
|
|
Hi,
is there a way to create a user that have no network access?
This user should:
- be able to open a browser but should not be able to access the internet.
- be able to read a pdf with a pdf-reader which is not be able to access the network.
- be able to access all my local files, but not the nfs shares.
- not be able to get root.
Quote: | This is easy, not be in the wheel group |
Please, no answers like cap the cable. Everyone should be able to answer the reason for themselves. _________________
Quote: | Alles was nicht einfach ist, ist entweder falsch oder zu kompliziert. |
V.Glazounov |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Fri Nov 24, 2017 9:38 am Post subject: Re: How to create an offline user? |
|
|
I suppose you can implement this by using iptables with -m owner. _________________ Hello 911? How are you? |
|
Back to top |
|
|
havana8 n00b
Joined: 17 Nov 2017 Posts: 16
|
Posted: Fri Nov 24, 2017 2:31 pm Post subject: |
|
|
I think so, yes |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Fri Nov 24, 2017 3:51 pm Post subject: |
|
|
Well assume its you, and the not so privileged son, I would recommend
That you start the network service as user root yourself everytime. I did that for quite a long time with pptp over the years. I also used startx for the x-server. Same for WIFI. Those network scripts do not even work reliable, on a SAMSUNG stock android tablet, custrom rom nexus 4 smartphone, notebook and such. So I prefer always to start it by myself anyway |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Sat Nov 25, 2017 1:11 pm Post subject: Re: How to create an offline user? |
|
|
Lars wrote: | Hi,
is there a way to create a user that have no network access?
This user should:
- be able to open a browser but should not be able to access the internet.
- be able to read a pdf with a pdf-reader which is not be able to access the network.
- be able to access all my local files, but not the nfs shares.
- not be able to get root.
|
iptables will allow you to limit access to the net. I dont use nfs but suspect you need to limit permissions during mounting. I don't think users would get root unless you grant it ... Is this for someone you trust and just want to restrict access or you are concerned about someone gaining unauthorised access? |
|
Back to top |
|
|
nokilli Apprentice
Joined: 25 Feb 2004 Posts: 196
|
Posted: Sat Nov 25, 2017 5:05 pm Post subject: Re: How to create an offline user? |
|
|
Lars wrote: |
- be able to open a browser but should not be able to access the internet.
|
I'm pretty sure this is Firefox's ultimate goal. Just give them time. _________________ Today is the first day of the rest of your Gentoo installation. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Nov 25, 2017 8:34 pm Post subject: |
|
|
You could put the login session for that user in an isolated container, this doesn't even require root to set up:
Code: | ~ $ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq state DOWN mode DEFAULT group default qlen 1000
link/ether 01:23:45:67:89:ab brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
link/ether 01:23:45:11:23:58 brd ff:ff:ff:ff:ff:ff
~ $ unshare -nr -- ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 |
|
|
Back to top |
|
|
|