libmount: fix setgroups() use

* keep process in single supplementary group, which is the real group ID for the process

* make sure we have rights to call setgroups(), requires group permissions

Fixes: https://github.com/karelzak/util-linux/issues/1398
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/include/c.h b/include/c.h
index c1e4c5ffc92b0f9c648f379fb7465e5f714b88f1..a4504e3ba5398691f9aa172336cbb6580ae46b28 100644 (file)
--- a/include/c.h
+++ b/include/c.h
@@ -340,14 +340,16 @@ static inline size_t get_hostname_max(void)
 
 static inline int drop_permissions(void)
 {
+       gid_t newgid = getgid();
+
        errno = 0;
 
        /* drop supplementary groups */
-       if (setgroups(0, NULL) != 0)
+       if (geteuid() == 0 && setgroups(1, &newgid) != 0)
                goto fail;
 
        /* drop GID */
-       if (setgid(getgid()) < 0)
+       if (setgid(newgid) < 0)
                goto fail;
 
        /* drop UID */