Skip privilege drop when already running as target user

renaudallard · renaudallard · commit 83de3ffe2eea · 2026-03-19T16:59:54.000+01:00
When rc.d uses daemon_user to run the process as an
unprivileged user, the config may also specify the same
user.  setgroups requires root and fails with EPERM.
Skip the drop if getuid already matches the target.
diff --git a/thinproxy.c b/thinproxy.c
@@ -1730,6 +1730,8 @@ drop_privs(const char *user)
 		logmsg(LOG_ERR, "unknown user: %s", user);
 		return -1;
 	}
+	if (getuid() == pw->pw_uid)
+		return 0;
 	if (setgroups(1, &pw->pw_gid) == -1 ||
 	    setgid(pw->pw_gid) == -1 ||
 	    setuid(pw->pw_uid) == -1) {

Original file line number	Diff line number	Diff line change
`@@ -1730,6 +1730,8 @@ drop_privs(const char *user)`
`1730`	`1730`	`logmsg(LOG_ERR, "unknown user: %s", user);`
`1731`	`1731`	`return -1;`
`1732`	`1732`	`}`
	`1733`	`+ if (getuid() == pw->pw_uid)`
	`1734`	`+ return 0;`
`1733`	`1735`	`if (setgroups(1, &pw->pw_gid) == -1 \|\|`
`1734`	`1736`	`setgid(pw->pw_gid) == -1 \|\|`
`1735`	`1737`	`setuid(pw->pw_uid) == -1) {`