I have a question about the "owner" module of iptables. I saw that it's possible with it to only allow some programs to use services based on their (e?)gid.
On this basis, I can employ the set-group-id bit to change the egid of a program and so, operate a filter on appplication basis. For example, only permit firefox to use HTTP and HTTPS services.
Nevertheless, I know that employing set-group-id bit is NOT a good practice, but just for curiosity: if I employ separate groups for each executable (so a "firefox" group for firefox, etc) and if those groups only have read and execute permissions on their executables, is this usage induce security hole? If so, could you give me an example?
