Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jessetg/rwog
Run without groups: Pretend you're not a member of certain supplementary groups
https://github.com/jessetg/rwog
command-line-tool group-membership groups linux permissions privileges rust unix
Last synced: about 1 month ago
JSON representation
Run without groups: Pretend you're not a member of certain supplementary groups
- Host: GitHub
- URL: https://github.com/jessetg/rwog
- Owner: JesseTG
- License: mit
- Created: 2018-03-31T19:14:24.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2022-09-08T00:58:08.000Z (over 2 years ago)
- Last Synced: 2024-11-14T05:26:06.729Z (about 1 month ago)
- Topics: command-line-tool, group-membership, groups, linux, permissions, privileges, rust, unix
- Language: Rust
- Size: 39.1 KB
- Stars: 1
- Watchers: 3
- Forks: 0
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
NAME
====rwog - *r*un *w*ith*o*ut *g*roups
SYNOPSIS
========rwog -g <groups>... \[-- *command-with-args*...\]
DESCRIPTION
===========**rwog** lets you run a given command while temporarily reducing your group membership. It does not modify `/etc/group` or `/etc/passwd`, and cannot grant you permissions you don't already have. Possible use cases for `rwog` include:
- In a shared system for which you are a privileged user, pretending that you are an unprivileged user without logging in as one.
- Testing a program's behavior when it doesn't have the group memberships it needs.OPTIONS
=======**-h**, **--help**
Display the help.**-g**, **--groups**
Run the given command without these groups, given by name (not number). You cannot drop your primary group membership (which is output by `id -gn`). Groups that don't exit or that you're not already a member of are ignored.SEE ALSO
========`id`(1), `getent`(1), `groups`(1), `group`(5)
BUGS
====- Does not support `gid`s given by number. When it does, such `gid`s will be given of the form *`+gid_number`*, as is the case with most `coreutils` programs.
CAVEATS
=======`rwog` must have the capability `CAP_SETGID` in order to be used. Grant it with `setcap $(which rwog) cap_setgid=pe` if your package manager hasn't done so already. You could run it as root, but given that `rwog` is supposed to *reduce* privileges you'd be missing the point entirely.
I cannot promise that `rwog` is entirely secure. I'm not doing anything blatantly wrong, but it's possible that there's something I missed. **Do not let untrusted users run `rwog`.**
LICENSE
=======MIT.