0

I'm trying to filter traffic with iptables for specific applications by their effective owner id (--gid-owner). For this purpose I've created a group

$ sudo addgroup net-user

, set this group on an executable file

$ sudo chown :net-user /opt/Signal/signal-desktop

and set sgid bit

$ sudo chmod g+s /opt/Signal/signal-desktop

Now the app is not able to load a library:

$ signal-desktop
signal-desktop: error while loading shared libraries: libffmpeg.so: cannot open shared object file: No such file or directory

Another app is not able to reach d-bus

$ dolphin
QStandardPaths: wrong ownership on runtime directory /run/user/1001, 1001 instead of 1000
No protocol specified
qt.qpa.screen: QXcbConnection: Could not connect to display :0
Could not connect to any X display.

What am I doing wrong?

raacer
  • 523
  • 4
  • 11
  • are you sure you don't need setUID? setGID will change the permissions the executable is running under, but I don;t believe it will change the actual owning identity. try setting setuid instead, as it changes the identity. https://www.geeksforgeeks.org/setuid-setgid-and-sticky-bits-in-linux-file-permissions/ – Frank Thomas May 19 '21 at 21:52
  • I'm not sure. I think I don't want to change the identity because I want the program to be able to work with files (settings, etc) owned by the actual user running this application. However I want to filter this app somehow with iptables before it is actually running and the pid is know. So I'm trying to use the --gid-owner filter to identify the apps to be filtered. – raacer May 19 '21 at 22:05
  • well, your goal (and I understand that I'm not addressing most of your actual question) is to change the attributes on the running process, such that iptables can see that attribute and make decisions based on it. I don't believe that a process stores/makes-visible an attribute that contains group information, since an identity can be a member of many groups, and their rights are an amalgam of all those groups rights. – Frank Thomas May 19 '21 at 22:18
  • as for what you are doing wrong, remember, setGID on a executable causes it to execute with that groups rights, regardless of the rights held by the executing identity. since you created a new group called net-users, it has no rights. you have to go around granting rights to the new group before it will be able to execute a process effectively. – Frank Thomas May 19 '21 at 22:39
  • Actually I was able to get the real file owner group via ps, but was unable to retrieve the effective group. So it seems you are right, this is impossible. Can you please provide any suggestion how to achive the goal?) – raacer May 20 '21 at 00:18

0 Answers0