SSPCPP-658 - setuid/setgid fails to remove supplementary groups

diff --git a/configure.ac b/configure.ac
index 86aade7..ea12766 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -77,7 +77,7 @@ AC_FUNC_STRFTIME
 AC_FUNC_STRERROR_R
 AC_CHECK_HEADERS([sys/utsname.h grp.h pwd.h])
 AC_CHECK_HEADERS([sys/socket.h], [AC_DEFINE([SHIBSP_HAVE_SYS_SOCKET_H],[1],[Define to 1 if you have the <sys/socket> header file.])], [])
-AC_CHECK_FUNCS([strchr strdup strstr timegm gmtime_r localtime_r strtok_r strcasecmp getpwnam getgrnam])
+AC_CHECK_FUNCS([strchr strdup strstr timegm gmtime_r localtime_r strtok_r strcasecmp getpwnam getgrnam initgroups])
 AC_CHECK_TYPES([struct sockaddr_storage], [], [], [[#include <sys/socket.h>]])
 AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [], [[#include <sys/socket.h>]])
 

diff --git a/shibd/shibd.cpp b/shibd/shibd.cpp
index c79e1dc..8c67563 100644 (file)
--- a/shibd/shibd.cpp
+++ b/shibd/shibd.cpp
@@ -349,6 +349,13 @@ int main(int argc, char *argv[])
             fprintf(stderr, "getpwnam failed, check -u option\n");
             return -1;
         }
+#ifdef HAVE_INITGROUPS
+        // w/out initgroups/setgroups process retains supplementary groups
+        if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+            fprintf(stderr, "initgroups failed, check -u option\n");
+            return -1;
+        }
+#endif
         if (setuid(pwd->pw_uid) != 0) {
             fprintf(stderr, "setuid failed, check -u option\n");
             return -1;