You create a block at the network level for any traffic that isn't going through the proxy.
this post was submitted on 19 Jan 2025
24 points (96.2% liked)
Linux
49393 readers
2029 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
or even on the computer itself with iptables
Nice try, dad.
You could spawn their processes in a isolated network namespace, connected to a proxy via tun interface. You can then setup firewall rules on that interface to block all traffic, except the proxy an maybe your own dns - that should all be out of the users „reach“.
Yes, and no.
Some settings are harder to circumvent, like partition limits, cgroups, and sysconfig. Others are more suggestion than limit, like shell. DNS server and ssh server settings only require a knowledgeable person to circumvent.
It is best to use layers. Helpfully provide working configs. Kindly provide limits to dissuade ill use. Keenly monitor for the unexpected. Strongly block on many layers the forbidden. Come down like the hammer of god on anyone and anything that still gets through.
Hopefully smarter people than I chime in, but if the users aren't part of sudoers then they shouldn't be able to install anything. However app images exist, and I'm not sure if those TOR out without network control
besides just downloading and running a binary, there are plenty of package managers that work in the user space and don't need root access.
If you are setting up a secure system though you would only use a package manager that needed sudo
Trying to "secure" a turing-complete computer system by some arbitrary limits like that will never work. Unless you manage to directly prevent traffic that isn't going through your proxy, it's all pointless as people will just hack stuff together, be it by downloading binaries themselves and placing them in the home dir, or even by running them in-memory.
Who's setting up the system is not necessarily the same person using it.
If you only allow users as non sudoers, is what I assumed
You can simply just download a binary and run it.
Mounting home and temp partitions with noexec should prevent that.
Many electron apps will break because they install some executables into ~/. config
So double win!
Nah, still easy to circumvent. This should work: https://github.com/hackerschoice/memexec, or (for dynamic exes) just call them through ld-linux.
Sure but will it bypass your established network routing if it can't change it?
And that would be enough to bypass root settings?
If someone wants to prevent users to mess with the system should he just disallow downloads entirely/confine the user into an intranet?
Depends on the root setting. And depends on your goal. What is the purpose of the proxy? I doubt that it is easy to bypass, but you still could run a Proxy or VPN as user, this would not bypass the proxy but any filtering/blocking would not be possible. Etc