need initgroups() before setresgid(); reported by anton@, ok deraadt@

diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c
index 9a1c057..b5e52b6 100644 (file)
--- a/usr.bin/ssh/misc.c
+++ b/usr.bin/ssh/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@@ -2594,6 +2594,12 @@ subprocess(const char *tag, const char *command,
                }
                closefrom(STDERR_FILENO + 1);
 
+               if (geteuid() == 0 &&
+                   initgroups(pw->pw_name, pw->pw_gid) == -1) {
+                       error("%s: initgroups(%s, %u): %s", tag,
+                           pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+                       _exit(1);
+               }
                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
                        error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
                            strerror(errno));