README.pandoc

% rwog(1) rwog 0.1.1
% Jesse Talavera-Greenberg
% April 1, 2018

# NAME

rwog - *r*un *w*ith*o*ut *g*roups

# SYNOPSIS

rwog -g \<groups\>... [-- *command-with-args*...]

# DESCRIPTION

`rwog` lets you run a given command while temporarily reducing your group
membership.  It does not modify `/etc/group` or `/etc/passwd`, and cannot
grant you permissions you don't already have.  Possible use cases for `rwog`
include:

* In a shared system for which you are a privileged user, pretending that you
  are an unprivileged user without logging in as one.
* Testing a program's behavior when it doesn't have the group memberships it
  needs.

# OPTIONS

`-h`, `--help`
:   Display the help.

`-g`, `--groups`
:   Run the given command without these groups, given by name (not number).
    You cannot drop your primary group membership (which is output by `id -gn`).
    Groups that don't exit or that you're not already a member of are ignored.

# SEE ALSO

`id`(1), `getent`(1), `groups`(1), `group`(5)

# BUGS

- Does not support `gid`s given by number.  When it does, such `gid`s will be
  given of the form *`+gid_number`*, as is the case with most `coreutils` programs.

# CAVEATS

`rwog` must have the capability `CAP_SETGID` in order to be used.  Grant it
with `setcap $(which rwog) cap_setgid=pe` if your package manager hasn't done
so already.  You could run it as root, but given that `rwog` is supposed to
*reduce* privileges you'd be missing the point entirely.

I cannot promise that `rwog` is entirely secure.  I'm not doing anything
blatantly wrong, but it's possible that there's something I missed.  **Do not
let untrusted users run `rwog`.**

# LICENSE

MIT.