# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1197295107 -7200
# Node ID d7a48bf83a0e3d7f95d987aa94d53f55186c571d
# Parent  e43c4db35e949c574819768f04db675edf890703
Don't use empty setgroups() list to drop groups. It doesn't work at least
with OSX.

diff -r e43c4db35e94 -r d7a48bf83a0e src/lib/restrict-access.c
--- a/src/lib/restrict-access.c	Mon Dec 10 13:21:30 2007 +0200
+++ b/src/lib/restrict-access.c	Mon Dec 10 15:58:27 2007 +0200
@@ -93,7 +93,7 @@
 	return group->gr_gid;
 }
 
-static void fix_groups_list(const char *extra_groups,
+static void fix_groups_list(const char *extra_groups, gid_t egid,
 			    bool preserve_existing, bool *have_root_group)
 {
 	gid_t *gid_list;
@@ -112,8 +112,11 @@
 			return;
 		}
 	} else {
-		gid_list = t_new(gid_t, 1);
-		gid_count = 0;
+		/* Some OSes don't like an empty groups list,
+		   so use the effective GID as the only one. */
+		gid_list = t_new(gid_t, 2);
+		gid_list[0] = egid;
+		gid_count = 1;
 	}
 
 	/* add extra groups to gids list */
@@ -169,7 +172,8 @@
 	env = getenv("RESTRICT_SETEXTRAGROUPS");
 	if (is_root) {
 		T_FRAME(
-			fix_groups_list(env, preserve_groups, &have_root_group);
+			fix_groups_list(env, gid, preserve_groups,
+					&have_root_group);
 		);
 	}