Is it possible to configure program to run in specified group context?

ivxvm · June 11, 2020, 2:19pm

I’m trying to disable internet access to certain programs, here’s what I got so far:

  environment.systemPackages = with pkgs; [
    #...
    myprogram
  ];

  users.groups.no-internet = {};

  networking.firewall.enable = true;
  networking.firewall.extraCommands = "iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP";

This works very well if I run program like this:

sudo -g no-internet myprogram

Now I wonder if there is a way to make this via configuration.nix, also I’d like program to not run with administor rights.

lilyball · June 12, 2020, 12:42am

If you want it so typing myprogram always does sudo -g no-internet myprogram you can wrap the program in a new derivation that replaces it with a shell script. Possibly something like

environment.systemPackages = with pkgs; [
  (writeShellScriptBin "myprogram" ''
    exec sudo -g no-internet ${myprogram}/bin/myprogram "$@"
  '')
];

ivxvm · June 12, 2020, 4:05am

Thank you, works great!
To prevent wrapper script asking for password I also had to add this to /etc/sudoers:

ivxvm ALL=(:no-internet) NOPASSWD: /run/current-system/sw/bin/myprogram