On 4 Jul 2003, D. J. Bernstein wrote: > Richard M. Smith writes: > > P.S. It's hard for a portable chroot tool to cut off a program's network > access. Kernel designers should provide a disablenetwork() syscall, with > the disabling inherited by children. Other kernel changes would be nice, > but disablenetwork() is the only critical change. > Look at selinux. You can drop any privleges under selinux or Bull Dog or you can uses Linux Socket Filtering is user space with kernel 2.4.18+ -- Enjoy, Richard Rager
