--- framework/runtime/process.cpp.orig 2016-02-07 10:33:01.882420699 +0100
+++ framework/runtime/process.cpp 2016-02-07 10:53:46.341371018 +0100
@@ -80,6 +80,16 @@
log_debug("change user to " << user << '(' << pw->pw_uid << ')');
+
+ /* When dropping privileges from root, the `setgroups` call will
+ * remove any extraneous groups. If we don't call this, then
+ * even though our uid has dropped, we may still have groups
+ * that enable us to do super-user things. This will fail if we
+ * aren't root, so don't bother checking the return value, this
+ * is just done as an optimistic privilege dropping function.
+ */
+ setgroups(0, NULL);
+
int ret = ::setuid(pw->pw_uid);
if (ret != 0)
throw cxxtools::SystemError("getuid");