2

I block all Internet traffic for my kids' Linux accounts using iptables. Sometimes I want to allow them to use one program or another. In such cases I enable them to run that program as another(unlimited) user via sudoers. This time I tried to enable them to use zoom as described here and it worked. The problem is that zoom launches browser (e.g. once clicked on "Help") as the unlimited user which makes the whole approach totally useless.

Is there a way to limit the user kiddy to be able to run only sudo -u daddy /usr/bin/zoom and at the same time block zoom from launching browser (or maybe even any subprocesses)?

user1876484
  • 315
  • 3
  • 12
  • 1
    You can do it with app-armour. Config is a little involved, but there may be a config for this already written. The hard bit is getting it to stop everything that you want to stop, while not stopping it from working. – ctrl-alt-delor Jan 01 '21 at 11:14
  • I'd suggest to update the summary, because you do not want to prevent subprocesses in general, but either disallow specific ones or just allow specific ones (it seems to me) – U. Windl Jan 13 '21 at 10:33

1 Answers1

2

You can prevent a process from forking children by setting the RLIMIT_NPROC limit. For instance, with zsh:

#! /bin/zsh -
limit -h maxproc 0
exec zoom "$@"

Would start zoom and prevent it from forking children by setting a hard limit on the maximum number of processes.

Now, I can't tell about zoom specifically, but depending on the application, that may prevent it from working as it may fork children as part of its normal operation. Also note that it would still be able to execute firefox in the same process. Forking processes and executing commands are two different things. That's how the process running zsh is able to execute zoom in that script.

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501