On Fri, 04 Jul 2003 20:26:26 -0700, Steven J. Hathaway, <shathawa@e-z.net> wrote:
> Bright wrote:
>
> > Dear all ... I just posted a similar message to linux networking but
> > this query applies as much to security (more so in fact)
> >
> > zonealarm type functionality has been queried in the past on a number
> > of occasions and the general consensus appears to be that it isn't
> > available ... although the posts I was looking at were quite old so
> > maybe the situation has changed.
> >
> > So I'll try again...........
>
> I don't know of a Linux process monitor that can intercept network
> calls similar to ZoneAlarm. Such a capability would require rewrite
> to library functions. But even this can be bypassed by using
> static-linked program code.
>
> Maybe someone else can comment further!

There's optional stuff under iptables that might help for outbound
stuff. From "man iptables"...

owner
This module attempts to match various characteristics of
the packet creator, for locally-generated packets. It is
only valid in the OUTPUT chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence
never match.

--uid-owner userid
Matches if the packet was created by a process with
the given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with
the given effective group id.

--pid-owner processid
Matches if the packet was created by a process with
the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in
the given session group.

--cmd-owner name
Matches if the packet was created by a process with
the given command name. (this option is present
only if iptables was compiled under a kernel sup-
porting this feature)


Well, you can block all outbound ICMP ping responses. Assuming that
software runs with non-root permissions, and that the install process
didn't tinker with libraries, iptables can control it. So here's a
scenario...

1) iptables blocks all outbound stuff by default; user mozilla is
allowed to send out
2) create low-privileged user, eg AbiWord
3) user launches a script in sudoers (allowed with no passwords)
that launches AbiWord. sudoers forces it to run as uid AbiWord
4) user will have to chgrp and chmod directories/files to allow
AbiWord to actually do anything useful
5) Assuming there is no iptables rule to allow packets owned by
user AbiWord out, then AbiWord can't send anything out
6) userid for mozilla would presumably have permission to send out
packets

Asking for permission is somewhat different. Making on-the-fly
changes to iptables requires root privileges. Can root launch a daemon
that beeps when unauthorized access is attempted? Can root run some
sort of menu/dialog in say tty2 that asks for permission for an app to
send out data ? Can we be certain that a regular app can't switch to
tty2 and feed "the right answers" to the outbound packet permission
daemon ?

--
Walter Dnes <waltdnes@waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did