#group #user #privileges

app rwog

Run a program as if you were not a member of certain supplementary groups. Cannot grant privileges or change /etc/group.

4 releases

Uses old Rust 2015

0.2.3 Apr 11, 2018
0.2.1 Apr 11, 2018
0.1.1 Apr 1, 2018
0.1.0 Apr 1, 2018

#692 in Operating systems

MIT license

8KB
118 lines

NAME

rwog - run without groups

SYNOPSIS

rwog -g <groups>... [-- command-with-args...]

DESCRIPTION

rwog lets you run a given command while temporarily reducing your group membership. It does not modify /etc/group or /etc/passwd, and cannot grant you permissions you don't already have. Possible use cases for rwog include:

  • In a shared system for which you are a privileged user, pretending that you are an unprivileged user without logging in as one.
  • Testing a program's behavior when it doesn't have the group memberships it needs.

OPTIONS

-h, --help
Display the help.

-g, --groups
Run the given command without these groups, given by name (not number). You cannot drop your primary group membership (which is output by id -gn). Groups that don't exit or that you're not already a member of are ignored.

SEE ALSO

id(1), getent(1), groups(1), group(5)

BUGS

  • Does not support gids given by number. When it does, such gids will be given of the form +gid_number, as is the case with most coreutils programs.

CAVEATS

rwog must have the capability CAP_SETGID in order to be used. Grant it with setcap $(which rwog) cap_setgid=pe if your package manager hasn't done so already. You could run it as root, but given that rwog is supposed to reduce privileges you'd be missing the point entirely.

I cannot promise that rwog is entirely secure. I'm not doing anything blatantly wrong, but it's possible that there's something I missed. Do not let untrusted users run rwog.

LICENSE

MIT.

Dependencies

~3MB
~49K SLoC