subuser enables running Linux programs with finely controlled, restricted permissions to enhance endpoint security.
Run programs on linux with selectively restricted permissions.
This tool is designed for system administrators and security professionals who want to limit the permissions of applications on Linux systems to reduce attack surfaces and enforce the principle of least privilege. It allows running programs with selective restrictions, improving endpoint protection and enabling security automation.
Ensure Go is installed to build the tool from source. Properly configure capability and user restrictions to avoid unintended denial of service. This tool is best used in environments where strict privilege separation is required to mitigate risks from compromised applications.
Clone the repository: git clone https://github.com/subuser-security/subuser.git
Navigate into the directory: cd subuser
Build the tool using Go: go build ./cmd/subuser
Optionally, install the binary system-wide: sudo cp subuser /usr/local/bin/subuser run --cap-drop=CAP_NET_ADMIN -- /bin/bash
Runs /bin/bash with the CAP_NET_ADMIN capability dropped, restricting network administration privileges.
subuser run --uid=1001 --gid=1001 -- /usr/bin/myapp
Runs 'myapp' under a specific user and group ID to limit its permissions.