You guys fixed that saved-set user id security hole, so a program can
call setreuid(geteuid(), geteuid()) to drop UID privilege of the
caller, but I can't see any way to get rid of extra groups. I did
figure out that I could also make the program setgid to set the
"default group" to be what I want, but this still leaves the
additional groups (which included at least the caller's default
group).
I found a manpage at http://constitution.mit.edu:5000/setgroups
-- although I have no idea what system this is referring to, it mentions
that a _any_ program can delete groups, even non-privleged ones. But
looking at the kernel source, this is not true in linux. If it was, I
would expect I would be able to call setgroups with just the groups I
want (a subset of what the program currently has).
Note that this ***changes*** the security properties of groups, since
groups can be used to *restrict* access to a directories. For example,
users could be put into the group lusers, and they won't have access to
a directory which mode 705, group lusers.
- Ted