From 9c21356b4de36e2db5ede03b1ee5edfc587e0b85 Mon Sep 17 00:00:00 2001
From: "R. Steve McKown" <rsmckown@gmail.com>
Date: Mon, 1 Oct 2012 11:42:13 -0600
Subject: [PATCH] Properly force group id as done with user id

Note that group id must be set first, when we still have effective root
permissions thanks to u+s on repo_shell.
---
 repo_shell.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/repo_shell.c b/repo_shell.c
index e4918b3..07e5cf7 100644
--- a/repo_shell.c
+++ b/repo_shell.c
@@ -38,9 +38,17 @@ static void change_user(char *user)
 
   if (!pw)
     die("invalid user %s", user);
+  setgid(pw->pw_gid);
   setuid(pw->pw_uid);
 }
 
+/* Set the user and group permissions back to the requesting user */
+static void reset_user()
+{
+  setgid(getgid());
+  setuid(getuid());
+}
+
 static char *dequote(char *arg)
 {
   char* narg = NULL;
@@ -209,7 +217,7 @@ int main(int argc, char **argv)
       fprintf(stderr, "\n");
       die("only repository access is allowed");
     }
-    setuid(getuid());
+    reset_user();
     argv[0] = SHELL;
     execvp(argv[0], (char *const *) argv);
     return 1;
@@ -270,7 +278,7 @@ int main(int argc, char **argv)
 
   if (!cfg.allow_interactive)
     die("only repository access is allowed");
-  setuid(getuid());
+  reset_user();
   cd_to_homedir();
   argv[0] = SHELL;
   execvp(argv[0], (char *const *) argv);
-- 
2.39.2