From owner-freebsd-questions Sun Jan 12 16: 6:22 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AED2437B401 for ; Sun, 12 Jan 2003 16:06:20 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A44943EB2 for ; Sun, 12 Jan 2003 16:06:19 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0D06C1n003724 for ; Mon, 13 Jan 2003 00:06:12 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0D067xY003723 for freebsd-questions@FreeBSD.ORG; Mon, 13 Jan 2003 00:06:07 GMT Date: Mon, 13 Jan 2003 00:06:07 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: Question Message-ID: <20030113000607.GB2155@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: <00ec01c2ba91$92495960$0201a8c0@slipstream.datasyrge.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <00ec01c2ba91$92495960$0201a8c0@slipstream.datasyrge.net> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-2.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_03_05, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jan 12, 2003 at 06:23:09PM -0500, Steve Winnacott wrote: =20 > Based on group membership, allow or deny certain users access to certain > outgoing services (www, telnet, ftp, ssh, ping, traceroute, etc). Again t= his > is not IP based, but based on group membership. Everyone can log into any= PC > on the LAN. I've seen something like this done in Novell, where based on a > users group context, their access is limited to certain services. =46rom the ipfw(8) man page: RULE OPTIONS (MATCH PATTERNS) Additional match patterns can be used within rules. Zero or more of th= ese so-called options can be present in a rule, optionally prefixed by the not operand, and possibly grouped into or-blocks. The following match patterns can be used (listed in alphabetical order= ): [...] gid group Matches all TCP or UDP packets sent by or received for a group. A group may be specified by name or number. which sounds like a way of implementing what you want. Section 10.7 of the handbook covers setting up ipfw(8): http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html. If you need help generating a ruleset for ipfw(8), search the archives of this list for innumerable examples or ask again here. Note that this may not work entirely the way you expect as it's not possible in all cases for the network stack to know what the gid of the local *user* that causes the packets to be generated is, just the sending/receiving process. Another approach is to modify the ownership+permissions of the binaries on the system --- this isn't fool proof by any means. A reasonably quick witted user can just grab their own copy of the binary from some other system, and use that. It will, at least, make your intentions clear. E.g. to limit telnet(1) to a particular group of users, try: # pw group add -n tlntusrs -M john,paul,george,ringo # chgrp tlntusrs /usr/bin/telnet # chmod 750 /usr/bin/telnet Keep a script handy to regenerate the mode and group ownership changes as if you ever do a {build,install}world your modifications will get blown away. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message