Both sides previous revisionPrevious revision | Next revisionBoth sides next revision |
slackware:parentalcontrol [2007/05/11 20:20] – Changed 2.9.7.0 to 2.9.7.1 for dansguardian's version alien | slackware:parentalcontrol [2008/02/21 21:55] – Change EXEMPTUSERS to PRIVUSERS (bugfix); use gpasswd instead of usermod. alien |
---|
id clamav | id clamav |
</code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> | </code> This shows easily enough that the two accounts have no common group. The following three commands add user //clamav// to the //nobody// and //nogroup// groups, and user //nobody// to the //clamav// group. Perhaps it is possible to leave out one of these additions, but at least it works this way. <code> |
usermod -G $(id -Gn clamav | tr ' ' ','),nobody clamav | gpasswd -a clamav nobody |
usermod -G $(id -Gn clamav | tr ' ' ','),nogroup clamav | gpasswd -a clamav nogroup |
usermod -G $(id -Gn nobody | tr ' ' ','),clamav nobody | gpasswd -a nobody clamav |
</code> Verify that this worked, by again running <code> | </code> Verify that this worked, by again running <code> |
id nobody | id nobody |
# Privileged user(s) will bypass the content filter: | # Privileged user(s) will bypass the content filter: |
PRIVUSERS="root alien" | PRIVUSERS="root alien" |
for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
/usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
done | done |
The message was hidden in the section on iptables, but I will repeat it in it's own section: | The message was hidden in the section on iptables, but I will repeat it in it's own section: |
| |
This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: | This setup will make __//any//__ user account on your Linux computer subject to http content filtering, __//except//__ for those user accounts that are listed in the variable PRIVUSERS. We defined PRIVUSERS in the firewall script (see the [[#example_configuration_files|last section]] for it's listing). You need to add the user account names to that variable that you want to grant unfiltered Internet browsing. The definition of this variable in my example looked like this: <code> |
| PRIVUSERS="root alien" |
PRIVUSERS="root alien" | </code> |
| |
===== Starting the programs ===== | ===== Starting the programs ===== |
/usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
/usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
/usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -A OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
done | done |
/usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT |
/usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner clamav -j ACCEPT |
for user in $EXEMPTUSERS; do | for user in $PRIVUSERS; do |
/usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT | /usr/sbin/iptables -D OUTPUT -t nat -p tcp --dport 80 -m owner --uid-owner $user -j ACCEPT |
done | done |