setgroups() not called before setuid()
Brought to you by:
jmaggard
When dropping privileges at tree/minidlna.c:1072, setuid()
is called without the recommended setgroups()
call preceding it.
See the following links for more detailed discussion on why that's recommended.
https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid
CERT C rule POS36-C
Dropping Privileges in setuid Programs
I propose the attached patch to address this issue.