[dingaling]

> Nice project and makes you think why all programs are given all network access by default.

One trick I learned to negate that is to insert an iptables rule that blocks all out-of-LAN traffic except for specific secondary user-groups. Not primary groups, but ones which you have to manually grant to users.

Then, those applications which you do wish to access the Internet can be run using sg e.g.

  sg bobs_internet_access_group firefox

Anything that tries to run as a user's primary group is stopped at the firewall. For example a malicious shell script will run by default with the primary group and will fail.

This is also very useful for stopping anything run by root from talking to the Internet, since that is a thing that should NEVER occur.

It does take a little configuration and it's probably best to create a new secondary group for each user ( and don't forget IPv6! ) but once it's set it just keeps working.

[eriknstr]

I had not heard of sg(1) before. The sg(1) manpage on Linux says:

>The sg command works similar to newgrp but accepts a command. The command will be executed with the /bin/sh shell. With most shells you may run sg from, you need to enclose multi-word commands in quotes. Another difference between newgrp and sg is that some shells treat newgrp specially, replacing themselves with a new instance of a shell that newgrp creates. This doesn't happen with sg, so upon exit from a sg command you are returned to your previous group ID.

I could not find sg(1) for FreeBSD, neither in base nor in ports, but FreeBSD does have newgrp(1) mentioned above. The FreeBSD manpage for newgrp(1) notes:

>For security reasons, the newgrp utility is normally installed without the setuid bit. To enable it, run the following command:

> chmod u+s /usr/bin/newgrp

The main source file of newgrp(1), /usr/src/usr.bin/newgrp/newgrp.c is 310 lines long so I think creating an sg(1) based on that one and maybe also by looking at doas(1) -- which is in ports, not in base -- should not be too difficult.

However, I think using sg(1) to protect against random malicious binaries and shell scripts having internet access equates roughly to security by obscurity in that it only protects you as long as the malicious code is unaware of sg(1).

Consider the following (which I wrote without testing it with a group limiting firewall but it should work like this):

  nw_access_group=
  while IFS= read -r curr_group ; do
    nw_access_group="$curr_group"
    sg "$nw_access_group" 'curl -s http://www.example.com/' >/dev/null
    if [[ $? -eq 0 ]] ; then
      break
    fi
  done <<EOF
  $( getent group | grep "$USER" | cut -d':' -f1 )
  EOF

  echo "Would use group $nw_access_group for evil stuff."