Library calls setuid and/or setgid without setgroups or initgroups

[mcepl]

When building package for openSUSE, rpmlint warns me:

This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this means it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.

[squeek502]

Some more info:

setuid/setgid are called from luv_setuid/luv_setgid here: https://github.com/luvit/luv/blob/a0a98ec424e368cc2481faa03b99a25f403a5832/src/misc.c#L337-L353

The only usage I can find of uv.setuid/uv.setgid on Github is here: https://github.com/creationix/gardener/blob/b9e2d590cb48a01f5310f35516e68eb52bfc6f02/bridge/server.lua#L56-L58

Here's how Libuv handles this when spawning a new process: https://github.com/libuv/libuv/blob/abe4f3d58d1f89f7b9c3092a917486832ceff7a2/src/unix/process.c#L354-L373 (it calls setgroups(0, NULL) and then setgid and then setuid).

I don't know enough about this stuff to know what should be done here, but hopefully that can provide a starting point.

Some more reference links:

• https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid
• https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch01s03.html
• https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges