Re: Firewall confusion



On Monday 28 Dec 2009 10:39, while playing with a tin of spray paint,
Stephen Horne painted this mural:

On Mon, 28 Dec 2009 10:06:39 +0100, houghi <houghi@xxxxxxxxxxxxxxxxxx>
wrote:

Stephen Horne wrote:

The scenario I have in mind is a trojan. I download it, mess around
with it within a user account, and don't realise that it has (e.g.)
scanned the files in my user account, spotted some passwords/bank
details/personal info, and phoned home.

Why would you be messing around with a trojan under your own user
account? If you're that concerned, set up a separate user account and
use it either for messing about with programs of unknown provenance,
or use it for your banking stuff. If you really want to go one step
further, encrypt the home for that user.

Well, it can also just maill home and thus use the programs where you
already have opend the ports for. It could use firefox or whatever

And these are also things that it shouldn't be allowed to do without
my explicit permission.

How would cron be able to ask you for permission to send you a mail
detailing the results of a job it's just run?

Sure you can play arround and even have a user account, but do it with
moderation and limitation. e.g. see that that user does not have access
to the outside world. Wether sandboxing is enough or using a virtual
manager (or both) I am not sure.

Finally, we are getting somewhere ;-)

Right - so are you saying that it's possible to set up a "sandbox"
user account with no internet access allowed?

Yes, but you won't be able to do so without using iptables directly.
All it takes is adding a rule that DROPS packets from a specific UID or
GID. You could easily stop all users from accessing the net. It would
probably make things quite unusable for them, since you'd need to
prevent access to localhost as well, or they could use the mail server
to send mail without asking your permission.

While it's pretty old, this should give you an idea of how to do that:

http://www.linuxjournal.com/article/6091

I would say that a virtual manager with no network is the most safe
enviroment in your case as well as the easiest to do.

Maybe, but on my less than awe inspiring machine, I want to limit the
number of layers of virtualisation if possible.

I've run Parallels on an old Athlon, 1.2GHz with either 512 or 768MB
IIRC, and it was pretty usable. It was slower than running the OS
directly on the hardware, but not that much slower. I also used VMware,
which was a faster on the same hardware, and that made it feel it was
running at about the same speed it would have been if it was running
directly on the hardware. Now I use Virtualbox, mostly on this X2
5200+ machine, and there doesn't seem to be any noticeable slowdown
even when the system is under load.


Regards,
David Bolt

--
Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
openSUSE 11.0 32b | | openSUSE 11.2 32b |
openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
.



Relevant Pages

  • Re: turn off permissions
    ... But I did what I wanted and now I still have the choice of turning User Account Security on or off. ... Then there is a box that you can check: Use UAC to help protect your computer. ... However, when I went to just MOVE a folder, it still says I need permission. ...
    (microsoft.public.windows.vista.general)
  • Re: cant modify a users profile path
    ... You have two specific user account in the SBS domain that you cannot ... please try to verify the permission on those two specific ... Search that administrator account to list its effective ... (by default the administrator has the full control ...
    (microsoft.public.windows.server.sbs)
  • Re: cant modify a users profile path
    ... You have two specific user account in the SBS domain that you cannot ... please try to verify the permission on those two specific ... Check whether the administrator account have the full control ...
    (microsoft.public.windows.server.sbs)
  • Re: Auto-update of an application, permission problem in "Program Files"
    ... is a filted normal user account token by default. ... normal user write permission to the "Program Files" directory. ... Microsoft Online Community Support ...
    (microsoft.public.win32.programmer.kernel)
  • FP2003: Open Method on Web Object not leveraging UserName / Password parameters
    ... When I make a call to the Open method on the Webs object, ... "You do not have permission to do this operation. ... The user account that is passed through the Open method does have sufficient ... Public Sub Open(ByVal developmentWebUrl As Uri, ByVal stagingWebUrl As Uri, ...
    (microsoft.public.frontpage.programming)