Thanks for the info @jdstrand
Fwiw, I don’t think allowing setgroups(0, NULL) will help in this case. As currently implemented, initgroups() will always call setgroups(1, [gid]) - it requires an explicit gid_t group parameter. If was going to patch anything, I would simply patch out the call to initgroups alltogether, as @coreycb’s solution did.
So, if I understand correctly, the proposed solution in the linked document will not work for software that calls initgroups(), as that implicitly calls setgroups(), which is not able to filtered safely, is this correct?
This is likely a problem. Lots of server software uses glibc’s initgroups().
Should I file a bug to track this issue? Or comment on the linked thread?
I’m not sure what a proper solution to this would be, but I do think it is important for their to be one in the long run.
Perhaps we can submit a patch to glib c that only calls setgroups iff you are not already that user? That might work in this case, but it might be a while before we could use it.