2f8dfd1
diff -up ./util/Security.c.nprocs ./util/Security.c
2f8dfd1
--- ./util/Security.c.nprocs	2016-01-27 03:07:49.000000000 -0500
2f8dfd1
+++ ./util/Security.c	2016-02-22 20:30:06.153297256 -0500
2f8dfd1
@@ -31,6 +31,7 @@
2f8dfd1
 #include <unistd.h>
2f8dfd1
 #include <errno.h>
2f8dfd1
 #include <stdlib.h>
2f8dfd1
+#include <grp.h>
2f8dfd1
 #include <string.h>
2f8dfd1
 #include <sys/mman.h>
2f8dfd1
 #include <stdio.h>
2f8dfd1
@@ -66,12 +67,17 @@ void Security_setUser(int uid,
2f8dfd1
 {
2f8dfd1
     int gidErrno = 0;
2f8dfd1
     int uidErrno = 0;
2f8dfd1
+    int setGroupErrno = 0;
2f8dfd1
+    pid_t groups[1];
2f8dfd1
     if (keepNetAdmin) {
2f8dfd1
         Setuid_preSetuid(alloc, eh);
2f8dfd1
     }
2f8dfd1
     if (gid && setgid(gid)) {
2f8dfd1
         gidErrno = errno;
2f8dfd1
     }
2f8dfd1
+    if (setgroups(0,groups)) {
2f8dfd1
+        setGroupErrno = errno;
2f8dfd1
+    }
2f8dfd1
     if (setuid(uid)) {
2f8dfd1
         // errno is global and could get overwritten by Setuid_postSetuid()
2f8dfd1
         uidErrno = errno;
2f8dfd1
@@ -85,6 +91,9 @@ void Security_setUser(int uid,
2f8dfd1
     if (uid != (int) getuid()) {
2f8dfd1
         Except_throw(eh, "Failed to set UID but seemed to succeed");
2f8dfd1
     }
2f8dfd1
+    if (setGroupErrno > 0) {
2f8dfd1
+        Except_throw(eh, "Failed to setgroups [%s]", strerror(setGroupErrno));
2f8dfd1
+    }
2f8dfd1
     if (gidErrno > 0) {
2f8dfd1
         Except_throw(eh, "Failed to set GID [%s]", strerror(gidErrno));
2f8dfd1
     }
2f8dfd1
@@ -119,8 +128,8 @@ void Security_nofiles(struct Except* eh)
2f8dfd1
 
2f8dfd1
 void Security_noforks(struct Except* eh)
2f8dfd1
 {
2f8dfd1
-    if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 0, 0 })) {
2f8dfd1
-        Except_throw(eh, "Failed to set fork limit to 0 [%s]", strerror(errno));
2f8dfd1
+    if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 1, 1 })) {
2f8dfd1
+        Except_throw(eh, "Failed to set process limit to 1 [%s]", strerror(errno));
2f8dfd1
     }
2f8dfd1
 }
2f8dfd1