[plug] Restricting web access to specific users

levsky at rave.iinet.net.au levsky at rave.iinet.net.au
Wed May 28 15:30:07 WST 2003


On Wed, May 28, 2003 at 02:44:26PM +0800, Matt Kemner wrote:
> On Wed, 28 May 2003, quoth Derek Fountain:
> 
> > > There *is* an owner match in at least the patch-o-matic for netfilter,
> 
> > Yeah, if you could point that out I'd be interested. I've just had a look in
> > the pom and couldn't see anything like that.
> 
> It's in (recent versions of?)  the main iptables, and recent 2.4 kernels.
> Netfilter config in the kernel has:
> CONFIG_IP_NF_MATCH_OWNER "Owner match support (EXPERIMENTAL)"
> 
> and the iptables manpage has:
>    owner
>        This  module  attempts to match various characteristics of
>        the packet creator, for locally-generated packets.  It  is
>        only valid in the OUTPUT chain, and even this some packets
>        (such as ICMP ping responses) may have no owner, and hence
>        never match.
> 
>        --uid-owner userid
>               Matches if the packet was created by a process with
>               the given effective user id.
> 
> 
> so for example you could do:
>   iptables -A OUTPUT -m owner --uid-owner 1000 -j ACCEPT
> 
> to allow outgoing traffic created by the user with userid 1000

That was it..   Thanks Matt..  It was still in the pom when I last
saw it..


-- 
"Transported to a surreal landscape, a young girl murders the first
woman she encounters, then teams up with three strangers to kill again".
	Plot summary of "The Wizard of Oz"



More information about the plug mailing list