SSPCPP-658 - setuid/setgid fails to remove supplementary groups

[shibboleth/cpp-sp.git] / shibd / shibd.cpp

diff --git a/shibd/shibd.cpp b/shibd/shibd.cpp
index c79e1dc..8c67563 100644 (file)
--- a/shibd/shibd.cpp
+++ b/shibd/shibd.cpp
@@ -349,6 +349,13 @@ int main(int argc, char *argv[])
             fprintf(stderr, "getpwnam failed, check -u option\n");
             return -1;
         }
+#ifdef HAVE_INITGROUPS
+        // w/out initgroups/setgroups process retains supplementary groups
+        if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+            fprintf(stderr, "initgroups failed, check -u option\n");
+            return -1;
+        }
+#endif
         if (setuid(pwd->pw_uid) != 0) {
             fprintf(stderr, "setuid failed, check -u option\n");
             return -1;