Is it possible to configure program to run in specified group context?

I’m trying to disable internet access to certain programs, here’s what I got so far:

  environment.systemPackages = with pkgs; [
  ]; = {};

  networking.firewall.enable = true;
  networking.firewall.extraCommands = "iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP";

This works very well if I run program like this:

sudo -g no-internet myprogram

Now I wonder if there is a way to make this via configuration.nix, also I’d like program to not run with administor rights.

1 Like

If you want it so typing myprogram always does sudo -g no-internet myprogram you can wrap the program in a new derivation that replaces it with a shell script. Possibly something like

environment.systemPackages = with pkgs; [
  (writeShellScriptBin "myprogram" ''
    exec sudo -g no-internet ${myprogram}/bin/myprogram "$@"

Thank you, works great!
To prevent wrapper script asking for password I also had to add this to /etc/sudoers:

ivxvm ALL=(:no-internet) NOPASSWD: /run/current-system/sw/bin/myprogram
1 Like