[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Does Rich Text hold the same risks as html ?
-----BEGIN PGP SIGNED MESSAGE-----
The Thursday 2006-01-26 at 00:25 -0800, Crispin Cowan wrote:
> > A trick was published here about how to block acroread from contacting
> > internet outside, using the local machine firewall.
> I posted a trick of how to prevent it using AppArmor, which is to deny
> firewall-based trick, I haven't seen it. I have some issue with whether
> it *could* work; you are going to want to configure your firewall so
> that HTTP requests can go out port 80, and there is nothing to prevent
It was published by Nordi:
| Date: Mon, 18 Apr 2005 15:56:26 +0200
| From: nordi <nordi@xxxxxxxxx>
| Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2?
The trick, that only works if the firewall is in the same machine, is to
make the acrobat binary owned by a certain group, say "talker" and make it
SGID; then, using the "--gid-owner" option in iptables, you can block any
program executing under that group from internet access:
iptables -A OUTPUT -m owner --gid-owner talker -j REJECT
I'm sure there are people here much more knowleadgeable than me in this
things who could write a small script to activate/deactivate that iptables
rule when the user wants, coupled with a line in /etc/permissions.local.
It could be inserted in "/etc/sysconfig/scripts/SuSEfirewall2-custom", but
I don't know exactly where.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
-----END PGP SIGNATURE-----
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here