Hi is this the correct sequence to drop privileges in a Linux process? I want this code to work both in case I am running as a privileged user (e.g. in production), or just using as the user itself (e.g. for testing).
Input = username, groupname
lookup userid and groupid; exit if not found
setgid(groupid); exit if failure
e = initgroups(username, groupid, ...)
setuid(userid); exit if failure
capset(...) to zero capabilities; exit if failure
if (e) {
/* E.g. initgroups failed because not enough privileges */
assign result of getgrouplist(username, groupid, ...) to target_groups
assign result of getgroups() to effective_groups
Exit if there is an effective_group which is
(not a target_group and not equal to group_name)
}
