+++ This bug was initially created as a clone of Bug #741289 +++

Description of problem:

(reported by Steve Grubb)

vhostmd does not set supplemental groups correctly when it
changes (drops) privs.  Between setgid and setuid, there
should be a call to either initgroups or setgroups as appropriate.

---

Util-linux's login program does something like this:

    if (initgroups(user, pwd->pw_gid) < 0) {
            syslog(LOG_ERR, "initgroups: %m");
            fprintf(stderr, _("\nSession setup problem, abort.\n"));
            exit(1);
    }

This can be adapted to vhostmd.c. The problem is that supplemental groups from the root account can be leaked into daemons unless they specifically clear the supplemental groups.

To test this, go into a system as root. Use the id program to verify root has some supplemental groups. Restart vhostmd. Get its pid. Look in /proc/<pid>/status for the "Groups" line. You should see some leaked groups. 

When patched, you should not.

---

The test is simple.  After starting vhostmd, run the
following command:

$ grep ^Groups: /proc/`pidof vhostmd`/status

If the bug is fixed, you should see one group, which is the
group of vhostmd (112 on Fedora, not sure about RHEL, but you
can check in /etc/group for the right number).  eg:

$ grep ^Groups: /proc/`pidof vhostmd`/status
Groups:	112 

However if you see a list of groups here, then there is an error.
For example, on Fedora with the unfixed vhostmd you see:

$ grep ^Groups: /proc/`pidof vhostmd`/status
Groups:	0 1 2 3 4 6 10 

This is very bad because (eg) '0' is the group of the root
account.

---

Upstream fix:
https://gitorious.org/vhostmd/vhostmd/commit/8684995d87e08fadd44e1814e810c770a1f60273