| I had not heard of sg(1) before. The sg(1) manpage on Linux says: >The sg command works similar to newgrp but accepts a command. The command will be executed with the /bin/sh shell. With most shells you may run sg from, you need to enclose multi-word commands in quotes. Another difference between newgrp and sg is that some shells treat newgrp specially, replacing themselves with a new instance of a shell that newgrp creates. This doesn't happen with sg, so upon exit from a sg command you are returned to your previous group ID. I could not find sg(1) for FreeBSD, neither in base nor in ports, but FreeBSD does have newgrp(1) mentioned above. The FreeBSD manpage for newgrp(1) notes: >For security reasons, the newgrp utility is normally installed without the setuid bit. To enable it, run the following command: > chmod u+s /usr/bin/newgrp The main source file of newgrp(1), /usr/src/usr.bin/newgrp/newgrp.c is 310 lines long so I think creating an sg(1) based on that one and maybe also by looking at doas(1) -- which is in ports, not in base -- should not be too difficult. However, I think using sg(1) to protect against random malicious binaries and shell scripts having internet access equates roughly to security by obscurity in that it only protects you as long as the malicious code is unaware of sg(1). Consider the following (which I wrote without testing it with a group limiting firewall but it should work like this): nw_access_group=
while IFS= read -r curr_group ; do
nw_access_group="$curr_group"
sg "$nw_access_group" 'curl -s http://www.example.com/' >/dev/null
if [[ $? -eq 0 ]] ; then
break
fi
done <<EOF
$( getent group | grep "$USER" | cut -d':' -f1 )
EOF
echo "Would use group $nw_access_group for evil stuff."
|