-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.pandoc
58 lines (38 loc) · 1.64 KB
/
README.pandoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
% rwog(1) rwog 0.1.1
% Jesse Talavera-Greenberg
% April 1, 2018
# NAME
rwog - *r*un *w*ith*o*ut *g*roups
# SYNOPSIS
rwog -g \<groups\>... [-- *command-with-args*...]
# DESCRIPTION
`rwog` lets you run a given command while temporarily reducing your group
membership. It does not modify `/etc/group` or `/etc/passwd`, and cannot
grant you permissions you don't already have. Possible use cases for `rwog`
include:
* In a shared system for which you are a privileged user, pretending that you
are an unprivileged user without logging in as one.
* Testing a program's behavior when it doesn't have the group memberships it
needs.
# OPTIONS
`-h`, `--help`
: Display the help.
`-g`, `--groups`
: Run the given command without these groups, given by name (not number).
You cannot drop your primary group membership (which is output by `id -gn`).
Groups that don't exit or that you're not already a member of are ignored.
# SEE ALSO
`id`(1), `getent`(1), `groups`(1), `group`(5)
# BUGS
- Does not support `gid`s given by number. When it does, such `gid`s will be
given of the form *`+gid_number`*, as is the case with most `coreutils` programs.
# CAVEATS
`rwog` must have the capability `CAP_SETGID` in order to be used. Grant it
with `setcap $(which rwog) cap_setgid=pe` if your package manager hasn't done
so already. You could run it as root, but given that `rwog` is supposed to
*reduce* privileges you'd be missing the point entirely.
I cannot promise that `rwog` is entirely secure. I'm not doing anything
blatantly wrong, but it's possible that there's something I missed. **Do not
let untrusted users run `rwog`.**
# LICENSE
MIT.