Home/ Questions/Q 6098779
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T13:11:49+00:00

I’m dropping root privileges with setregid(real_gid, effective_gid) . Both are set to 1000, but

  • 0

I’m dropping root privileges with setregid(real_gid, effective_gid). Both are set to 1000, but when I’m running id command there’s root in group list! How do I remove that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If root is one of the auxilliary groups, you’ll need to use getgroups() and setgroups() to adjust the auxilliary groups list – removing root (0) from that list. Note that POSIX specifies getgroups() but does not specify setgroups().

    You could probably use code similar to this:

    enum { MAX_AUX_GROUPS = 16 };  // Reasonable number
enum { ROOT_GROUP     = 0  };  // Platform specific

gid_t aux_groups[MAX_AUX_GROUPS];
int ngroups = getgroups(MAX_AUX_GROUPS, aux_groups);
if (ngroups > 0)
{
    int dst = 0;
    for (int i = 0; i < ngroups; i++)
    {
        if (aux_groups[i] != ROOT_GROUP)
            aux_groups[dst++] = aux_groups[i];
    }
    ngroups = dst;
}
if (ngroups > 0)
{
    if (setgroups(ngroups, aux_groups) != 0)
        ...report error...
}

    Note that the root group is 0 on Linux, but the name of group 0 is not always root (e.g. it is system on AIX and wheel on MacOS X) and not all systems have a group root (neither AIX nor MacOS X, again). Note too that the kernel does not grant any special privileges to group 0 by virtue of it being group 0 (whereas it does grant special privileges to user 0).

    You can generalize the code by looking up the group(s) you want to omit. POSIX provides an NGROUPS_MAX too; you could use that in place of MAX_AUX_GROUPS. The standard page also suggests:

    long ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
gid_t *group = (gid_t *)malloc(ngroups_max *sizeof(gid_t));
    • 0