Indeed, this particular use of getgid() and setuid(0 specifically is used to temporarily change to the privileges afforded to a client logging in using a particular username and password (i.e. secpwd security). As such, we do not want to complete destroy the existing ancillary groups afforded to the server as they would be extremely difficult to recreate. See https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid So, I am closing this as "not an error in the context used".. However, thank you for bringing this to our attention as it's aways good to review potential security issues. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1783#issuecomment-1262105171 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1