3

I want to prevent some apps from going to network, so I've created a no-internet group:
sudo groupadd -g 9876 no-internet
and created a script sudo gedit /usr/bin/ni 

#!/bin/bash
sg no-internet "$1"

And added an iptable rule

#!/bin/bash
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

Now ni my_command should run an app in a restricted mode. However, I am getting sg: failed to crypt password with previous salt: Invalid argument

How can I run an app as 'no-internet group`, without limiting my own access to LAN/WAN?

I've checked this question (claiming that requirements are contradictory)
How to switch a group without asking for a password?

But is it really so?

sixtytrees
  • 133
  • is user using ni in no-internet group ? – Archemar Mar 25 '18 at 13:47
  • I am a user (admin with root rights). I want to run ni untrusted-app in order to prevent this app from talking to internet. I don't want to block my own access to internet though. – sixtytrees Mar 25 '18 at 22:26

1 Answers1

2

user running sg command must be the group being sued uppon.

here I belong to www-data group

archemar@unix:~$ id
uid=1003(archemar) gid=1002(stackexchange) groups=1002(stackexchange),27(sudo),33(www-data)

sg goes OK

archemar@unix:~$ sg www-data id
uid=1003(archemar) gid=33(www-data) groups=33(www-data),27(sudo),1002(stackexchange)

my gid is www-data

Now, I don't belong to ntp group

archemar@unix:~$ sg ntp id
Password:
sg: failed to crypt password with previous salt: Invalid argument
Archemar
  • 31,554