I try to block the user
sandbox from accessing the network with this command:
$ iptables -A OUTPUT -m owner --uid-owner sandbox -j DROP
However, after that I’m still able to ping an external host:
$ sudo -u sandbox ping 22.214.171.124 PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data. 64 bytes from 184.108.40.206: icmp_req=1 ttl=49 time=802 ms 64 bytes from 220.127.116.11: icmp_req=2 ttl=49 time=791 ms
What am I doing wrong?
My configuration looks like this:
$ /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere owner UID match sandbox
setuid root set. I just had to remove it:
chmod u-s /bin/ping
ping is setuid root on your system, it is
root which opens the socket from which
ping sends its ICMP echo requests. Thus the rule will never match.
(Note that this is true on EL6, Debian squeeze, etc. More recent distributions have removed ping’s setuid bit and replaced it with a capability. In these cases, the rule might match.)
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.