21 Apr, 2010, Tyche wrote in the 1st comment:
Votes: 0
How do I grant rights to specific network ports to specific users or groups?
21 Apr, 2010, David Haley wrote in the 2nd comment:
Votes: 0
I think it depends on the flavor of Unix that you're using, as far as I know there's not a standard way across distributions.
21 Apr, 2010, quixadhal wrote in the 3rd comment:
Votes: 0
I don't believe that's a standard thing. You'd probably have to install an extension for whichever flavor of unix you're using. I know there was a network quota module for linux, but that limited bandwidth, not specific ports.

One thing you might be able to do, if your firewall setup allows it, is to tag packets from processes owned by particular users so the firewall can allow or deny them. I think OpenBSD's pf allows this, but I've never looked into it (nobody logs into the firewall itself, and "user" is meaningless outside the machine).
24 Apr, 2010, Zeno wrote in the 4th comment:
Votes: 0
I've never tried this, I just leave it to the honor system. Quota, ports etc are all open to be used. Users just mention port(s) they want to use. I can't remember any hosts I've been on doing this.

Maybe try asking on StackOverflow or something.
24 Apr, 2010, Cratylus wrote in the 5th comment:
Votes: 0
AFAIK it Just Doesn't Work That Way by default on unix in general. There are some flavors with
exotic extensions to their networking (like AIX iirc) that allow you to turn on stuff like that if you're
on a compatible network…but in general the default attitude of unix is to let users use whatever
unprivileged ports don't happen to be in use.

If you're on a unix version that uses iptables, that might be a good starting point for googling an
answer. For example:

http://www.cyberciti.biz/tips/block-outg...

suggests something that looks like

Quote
iptables -A OUTPUT -o ethX -m owner –uid-owner {USERNAME} -j DROP


as a default rule, with exceptions added for specific stuff.

The full solution will involve some digging around but that's probably a good start.

-Crat
http://lpmuds.net
24 Apr, 2010, Tyche wrote in the 6th comment:
Votes: 0
I was hoping this was as simple as following the "everything is a file" approach and I'd find some magic device,
like a /dev/eth0/ip/tcp/4000 or something which I could then assign group permissions on.

Thanks for all the answers.
24 Apr, 2010, David Haley wrote in the 7th comment:
Votes: 0
It's a little surprising considering how much other stuff has permissions, but oh well.
Random Picks
0.0/7