Or: how to do security by obscurity and open a backdor.
Setting is that daughter is root anyway and we secretely deny her internet via ufw default rules.
Get some python3 skills (back) during the way.
-
Initially the firewall is set to block everything.
-
Timed Un-locks can be defined (i.e. open the firewall for X minutes)
-
A cronjob checks every minute if the firewall should be kept open.
-
Opening rules are files named by timestamp.
-
To prevent the opening rules persist after shutdown within an Un-Lock window (ufw doesnt know temporary rules), the cronjob will check if it already ran once, if not, close the firewall.
-
Because of insecure shebangs in python-scripts, wrote C wrappers.
-
A tool exists to create opening rule timestamp files. The password check is done supersecure using base64 (she is root anyway).
- Place everything in
/opt/pynternet
- Compile the wrapper (daughter runs on ARM, have no cross-compiling expertise)
gcc pynternet.c -o pynternet_open
- Make it a suid, so it can manipulate ufw rules
sudo chown root pynternet_open
sudo chmod u+s pynternet_open
- Add cronjob
sudo crontab -u root -e # */1 * * * * /opt/pynternet/pynternetcheck.py
Networking services and/or interfaces could be shut down instead:
sudo nmcli networking off
sudo systemctl stop NetworkManager
sudo systemctl disable NetworkManager
sudo systemctl mask NetworkManager
sudo systemctl unmask systemd-networkd.service
sudo systemctl enable systemd-networkd.service
sudo systemctl start systemd-networkd.service