This patch ensures the daemon process doesn't inherit any supplemental
groups for the root user from an administrator login via an init
script.
This is only an issue for pre-systemd systems.
https://bugzilla.redhat.com/show_bug.cgi?id=726953
capng_clear (CAPNG_SELECT_BOTH);
capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_AUDIT_WRITE);
- rc = capng_change_id (uid, gid, 0);
+ rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
if (rc)
{
switch (rc) {