Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jessetg/rwog

Run without groups: Pretend you're not a member of certain supplementary groups
https://github.com/jessetg/rwog

command-line-tool group-membership groups linux permissions privileges rust unix

Last synced: about 9 hours ago
JSON representation

Run without groups: Pretend you're not a member of certain supplementary groups

Host: GitHub
URL: https://github.com/jessetg/rwog
Owner: JesseTG
License: mit
Created: 2018-03-31T19:14:24.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2022-09-08T00:58:08.000Z (about 2 years ago)
Last Synced: 2024-11-14T05:26:06.729Z (about 23 hours ago)
Topics: command-line-tool, group-membership, groups, linux, permissions, privileges, rust, unix
Language: Rust
Size: 39.1 KB
Stars: 1
Watchers: 3
Forks: 0
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        NAME

====

rwog - *r*un *w*ith*o*ut *g*roups

SYNOPSIS

========

rwog -g <groups>... \[-- *command-with-args*...\]

DESCRIPTION

===========

**rwog** lets you run a given command while temporarily reducing your group membership. It does not modify `/etc/group` or `/etc/passwd`, and cannot grant you permissions you don't already have. Possible use cases for `rwog` include:

-   In a shared system for which you are a privileged user, pretending that you are an unprivileged user without logging in as one.

-   Testing a program's behavior when it doesn't have the group memberships it needs.

OPTIONS

=======

**-h**, **--help**  

Display the help.

**-g**, **--groups**  

Run the given command without these groups, given by name (not number). You cannot drop your primary group membership (which is output by `id -gn`). Groups that don't exit or that you're not already a member of are ignored.

SEE ALSO

========

`id`(1), `getent`(1), `groups`(1), `group`(5)

BUGS

====

-   Does not support `gid`s given by number. When it does, such `gid`s will be given of the form *`+gid_number`*, as is the case with most `coreutils` programs.

CAVEATS

=======

`rwog` must have the capability `CAP_SETGID` in order to be used. Grant it with `setcap $(which rwog) cap_setgid=pe` if your package manager hasn't done so already. You could run it as root, but given that `rwog` is supposed to *reduce* privileges you'd be missing the point entirely.

I cannot promise that `rwog` is entirely secure. I'm not doing anything blatantly wrong, but it's possible that there's something I missed. **Do not let untrusted users run `rwog`.**

LICENSE

=======

MIT.