3
0
I need to test linux group permissions on a repository. In one shell, how can I temporarily remove one of my group associations?
e.g.
If my groups are defined as:
% groups
foo bar baz
How can I make it so it only returns foo bar without baz?
Ross Rogers
Posted 2010-01-21T17:54:11.397
Reputation: 3 025
4
It IS possible.
Check out this code (valid C89, heh) I wrote in 25 mins. Usage example:
whitequark@forth:~/skipgroup$ ls
skipgroup.c
whitequark@forth:~/skipgroup$ gcc skipgroup.c -o skipgroup
whitequark@forth:~/skipgroup$ sudo chown root:root skipgroup
whitequark@forth:~/skipgroup$ sudo chmod u+s skipgroup
whitequark@forth:~/skipgroup$ groups
whitequark adm dialout cdrom plugdev lpadmin admin sambashare
whitequark@forth:~/skipgroup$ ./skipgroup
Usage: ./skipgroup <group to remove>
Must be SUID. Launches shell.
whitequark@forth:~/skipgroup$ ./skipgroup cdrom
$ id
uid=1000(whitequark) gid=1000(whitequark)
groups=4(adm),20(dialout),46(plugdev),104(lpadmin),114(admin),118(sambashare),1000(whitequark)
WARNING THIS CODE IS SUID!
While it drops privileges as you see on id's output, it MAY BE DANGEROUS. Dixi.
whitequark
Posted 2010-01-21T17:54:11.397
Reputation: 14 146
wow. If I had root permissions, I'd definitely try this out. – Ross Rogers – 2010-01-21T19:20:22.103
I think there is really no way to change your group list without root privileges. – whitequark – 2010-01-21T19:27:31.790
2
I think that this is not possible, since files (and POSIX ACLs) can specify subtractive rights for certain groups. Allowing people to escape from a group would then be a security hole.
Of course if you have root access, you could simply remove yourself from the group and do
sudo su - $USER
Teddy
Posted 2010-01-21T17:54:11.397
Reputation: 5 504
In a comment, you mentioned you don't have root permissions, but it may be useful for those who do to take a look at gpasswd, newgrp, and possibly also /etc/sudoers for hints at implementing something. I'm currently looking into authorizing users to remove themselves from groups they're already in, but I'm more trying to do the opposite(temporarily add myself to groups so sensitive information is inaccessible until I want it) which may be easier. – StarCrashr – 2018-09-29T18:20:26.063