سؤال
I'd like to run a script on UNIX with restricted privileges. Specifically, I'd like to run code that I received without letting it send data. My current solution is to:
https://stackoverflow.com/questions/15237669
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianiptables to block all outgoing traffic for the dummy user.su - dummy -c 'command'.The way I achieve step 2 above is as described in this page. Specifically, I use the following command to add a new rule:
sudo iptables -I OUTPUT -m owner --uid-owner dummy -j DROP
When I now try to ping a web address by switching to the dummy account, the ping indeed fails because I added the rule to iptables. Here's that command:
> su - dummy -c 'ping www.google.com'
ping: unknown host www.google.com
Same goes for attempting to use traceroute. However, when I try to send an email in a similar way using mutt, it succeeds:
su - dummy -c 'echo "test" | mutt -s test [emailaddress]'
Why doesn't the rule block this, and more generally, how do I ensure all outgoing traffic is blocked for the program I'm running?
المحلول 2
Here is a guide to setting up a chroot jail, which it seems you need.
https://help.ubuntu.com/community/BasicChroot
This allows you to control what commands can be executed, you can limit users access to things like mutt with no problem. You grant access, you do not have to figure out what to deny. Because all commands are be default blocked. This makes setting things up far simpler.
نصائح أخرى
mutt uses a mail server to send the email, and that's most likely not running with the uid of dummy.
