When dropping privileges, also give up membership in supplementary

groups. Thanks to Matthias Drochner for reporting the problem,
providing the initial patch and testing the final version.

diff --git a/jcc.c b/jcc.c
index ea4ae64..76a491b 100644 (file)
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.219 2009/01/31 16:08:21 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.220 2009/02/04 18:29:07 fabiankeil Exp $";

 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $


@@ -33,6 +33,10 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.219 2009/01/31 16:08:21 fabiankeil Exp $"
  *
  * Revisions   :
  *    $Log: jcc.c,v $
  *
  * Revisions   :
  *    $Log: jcc.c,v $

+ *    Revision 1.220  2009/02/04 18:29:07  fabiankeil
+ *    Initialize the log module before parsing arguments.
+ *    Thanks to Matthias Drochner for the report.
+ *

  *    Revision 1.219  2009/01/31 16:08:21  fabiankeil
  *    Remove redundant error check in receive_client_request().
  *
  *    Revision 1.219  2009/01/31 16:08:21  fabiankeil
  *    Remove redundant error check in receive_client_request().
  *


@@ -3859,6 +3863,17 @@ int main(int argc, const char *argv[])
       {
          log_error(LOG_LEVEL_FATAL, "Cannot setgid(): Insufficient permissions.");
       }
       {
          log_error(LOG_LEVEL_FATAL, "Cannot setgid(): Insufficient permissions.");
       }

+      if (NULL != grp)
+      {
+         if (setgroups(1, &grp->gr_gid))
+         {
+            log_error(LOG_LEVEL_FATAL, "setgroups() failed: %E");
+         }
+      }
+      else if (initgroups(pw->pw_name, pw->pw_gid))
+      {
+         log_error(LOG_LEVEL_FATAL, "initgroups() failed: %E");
+      }

       if (do_chroot)
       {
          if (!pw->pw_dir)
       if (do_chroot)
       {
          if (!pw->pw_dir)