From 66ab38918c911bcff025562cf06237d7fedaba0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@gmail.com>
Date: Mon, 10 Feb 2014 17:41:51 +0100
Subject: [PATCH] unix: call setgoups before calling setuid/setgid

Partial fix for #1093
---
 src/unix/process.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/unix/process.c b/src/unix/process.c
index 0fc8f64019..1efd588b86 100644
--- a/src/unix/process.c
+++ b/src/unix/process.c
@@ -330,6 +330,17 @@ static void uv__process_child_init(const uv_process_options_t* options,
     _exit(127);
   }
 
+  if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
+    /* When dropping privileges from root, the `setgroups` call will
+     * remove any extraneous groups. If we don't call this, then
+     * even though our uid has dropped, we may still have groups
+     * that enable us to do super-user things. This will fail if we
+     * aren't root, so don't bother checking the return value, this
+     * is just done as an optimistic privilege dropping function.
+     */
+    SAVE_ERRNO(setgroups(0, NULL));
+  }
+
   if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) {
     uv__write_int(error_fd, -errno);
     perror("setgid()");