--- framework/runtime/process.cpp.orig	2016-02-07 10:33:01.882420699 +0100
+++ framework/runtime/process.cpp	2016-02-07 10:53:46.341371018 +0100
@@ -80,6 +80,16 @@
 
     log_debug("change user to " << user << '(' << pw->pw_uid << ')');
 
+
+    /* When dropping privileges from root, the `setgroups` call will
+    * remove any extraneous groups. If we don't call this, then
+    * even though our uid has dropped, we may still have groups
+    * that enable us to do super-user things. This will fail if we
+    * aren't root, so don't bother checking the return value, this
+    * is just done as an optimistic privilege dropping function.
+    */
+    setgroups(0, NULL);
+
     int ret = ::setuid(pw->pw_uid);
     if (ret != 0)
       throw cxxtools::SystemError("getuid");