You are not logged in.

#1 2018-06-14 22:28:48

Maniaxx
Member
Registered: 2014-05-14
Posts: 732

[SOLVED]Start executable as different group with setgid?

I want to start an executable file under a different group than the active uid/gid spawning it.
For example, /usr/bin/wine is root:root but it should be root:nonet (or $(id -un):nonet) when executed. Its possible with 'sudo -g nonet /usr/bin/wine' but this wouldn't stop any other link/starter doing otherwise (eg. qt4wine, Thunar..). I thought it could be done by 'chown root:nonet /usr/bin/wine && chmod g+s /usr/bin/wine' but it has no effect.

I have an iptable rule that blocks all 'nonet' group members (group-based personal firewall):

iptables -A OUTPUT -m owner --gid-owner nonet ! -d 192.168.0.0/16 -j REJECT

It works with 'sudo' command but not with 'chmod g+s'.

Isn't the setgid attribute intended to do that as well?

Last edited by Maniaxx (2018-06-15 13:15:48)


sys2064

Offline

#2 2018-06-15 00:06:41

Haller
Member
Registered: 2018-04-08
Posts: 45

Re: [SOLVED]Start executable as different group with setgid?

Setgid is ignored in many cases for example if it is set on a shell script. Because this would be a security risk.
What kind of program is /usr/bin/wine?

You can create a shell script /usr/local/bin/wine that starts "sudo -g GID /usr/bin/wine".
Other wine starters will use /usr/local/bin/wine instead of /usr/bin/wine. But this doesn't work if the starter uses the full path...

Offline

#3 2018-06-15 00:15:48

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: [SOLVED]Start executable as different group with setgid?

It's entirely possible that wine has code to drop the setgid bit. bash will do so if it detects it is being run with setuid/setgid. This is because it's a massive security hole to run a *shell* as setuid/setgid...

Guess what? wine is a shell too...

BTW it is trivial to do this with sudo anyway, set a sudoers rule:

ALL ALL (:nonet) NOPASSWD: ALL

Allowing any user anywhere to run any command using sudo, but only as the :nonet usergroup, which means no permissions to change user, but only to change group to "nonet". This is presumably safe since, according to your explanation, this group only exists for filtering purposes, and owns nothing which needs to be hidden.

You could then make /usr/local/bin/wine a wrapper script which just does exec sudo -g nonet /usr/bin/wine "$@"

The bigger question I have is, what are you even trying to do? This is trivially circumvented if you're afraid of an attacker, because they're not forced to use some random group. And a default permissive policy is weak, generally you'd want to use a default restrictive policy and give permissions where needed.

The biggest question I have is, are you at all concerned that any files the setgid program creates will be created as owned by the "nonet" group, and therefore absolutely anyone who can run wine or whichever programs as setgid, has unix group access to those files? By default group and other both have rX access, but I'm sure there will be situations where this is bad.

So, I'd seriously suggest reconsidering the use of groups for this.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#4 2018-06-15 05:58:08

seth
Member
Registered: 2012-09-03
Posts: 50,005

Re: [SOLVED]Start executable as different group with setgid?

Looks like an "abuse" of iptables as pfw (while possible, it shares all the flaws of a pwf handling outbound traffic - ie. it's not secure against attacks)
=> https://wiki.archlinux.org/index.php/Firejail

If you just want to prevent games from phoning home your lousy scores, you could shadow /usr/bin/wine w/ /usr/local/bin/wine (assuming /usr/local/bin is up in your $PATH) where the latter is a script calling

#!/bin/sh
sudo -g nonet /usr/bin/wine

Since /usr/share/applications/wine.desktop invokes the "wine" binary in $PATH, this should impact Thunar etc. when clicking some .exe…

Offline

#5 2018-06-15 13:14:15

Maniaxx
Member
Registered: 2014-05-14
Posts: 732

Re: [SOLVED]Start executable as different group with setgid?

Thanks, i will do it by sudo then. Just wanted to make sure I'm not missing something with setgid.

And yes, i just want to block outbound traffic. Nothing security related.
The iptables method actually is taken from Android. Every app (runtime instance) uses its own uid/gid. Apps like AFWall do the rest.


sys2064

Offline

#6 2018-06-17 03:33:48

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: [SOLVED]Start executable as different group with setgid?

Notice how Android uses separate users for each one...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#7 2018-06-17 22:26:38

Maniaxx
Member
Registered: 2014-05-14
Posts: 732

Re: [SOLVED]Start executable as different group with setgid?

Indeed, going for both uid/gid is even better.


sys2064

Offline

Board footer

Powered by FluxBB