Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jessetg/rwog

Run without groups: Pretend you're not a member of certain supplementary groups
https://github.com/jessetg/rwog

command-line-tool group-membership groups linux permissions privileges rust unix

Last synced: about 1 month ago
JSON representation

Run without groups: Pretend you're not a member of certain supplementary groups

Awesome Lists containing this project

README

        

NAME
====

rwog - *r*un *w*ith*o*ut *g*roups

SYNOPSIS
========

rwog -g <groups>... \[-- *command-with-args*...\]

DESCRIPTION
===========

**rwog** lets you run a given command while temporarily reducing your group membership. It does not modify `/etc/group` or `/etc/passwd`, and cannot grant you permissions you don't already have. Possible use cases for `rwog` include:

- In a shared system for which you are a privileged user, pretending that you are an unprivileged user without logging in as one.
- Testing a program's behavior when it doesn't have the group memberships it needs.

OPTIONS
=======

**-h**, **--help**
Display the help.

**-g**, **--groups**
Run the given command without these groups, given by name (not number). You cannot drop your primary group membership (which is output by `id -gn`). Groups that don't exit or that you're not already a member of are ignored.

SEE ALSO
========

`id`(1), `getent`(1), `groups`(1), `group`(5)

BUGS
====

- Does not support `gid`s given by number. When it does, such `gid`s will be given of the form *`+gid_number`*, as is the case with most `coreutils` programs.

CAVEATS
=======

`rwog` must have the capability `CAP_SETGID` in order to be used. Grant it with `setcap $(which rwog) cap_setgid=pe` if your package manager hasn't done so already. You could run it as root, but given that `rwog` is supposed to *reduce* privileges you'd be missing the point entirely.

I cannot promise that `rwog` is entirely secure. I'm not doing anything blatantly wrong, but it's possible that there's something I missed. **Do not let untrusted users run `rwog`.**

LICENSE
=======

MIT.