From eb3afc4001120afbbbf43d02e94cf560ddf6bf84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mikk=20Margus=20M=C3=B6ll?= <mikk@cert.ee>
Date: Wed, 3 Jul 2024 16:32:44 +0300
Subject: [PATCH 1/2] ENH: utils: acquire groups of intelmq user in
 drop_privileges

---
 intelmq/lib/utils.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/intelmq/lib/utils.py b/intelmq/lib/utils.py
index 294f4107a..42d551ad9 100644
--- a/intelmq/lib/utils.py
+++ b/intelmq/lib/utils.py
@@ -692,6 +692,7 @@ def drop_privileges() -> bool:
     """
     if os.geteuid() == 0:
         try:
+            os.setgroups([group.gr_gid for group in grp.getgrall() if 'intelmq' in group.gr_mem])
             os.setgid(grp.getgrnam('intelmq').gr_gid)
             os.setuid(pwd.getpwnam('intelmq').pw_uid)
         except (OSError, KeyError):

From d04e055de0125fefc6d78189cc0d3e2d01cb6b8c Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <sebix@sebix.at>
Date: Tue, 9 Jul 2024 08:28:34 +0200
Subject: [PATCH 2/2] doc: add changelog entry for PR#2507
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- `intelmq.lib.utils.drop_privileges`: When IntelMQ is called as `root` and dropping the privileges to user `intelmq`, also set the non-primary groups associated with the `intelmq` user. Makes the behaviour of running intelmqctl as `root` closer to the behaviour of `sudo -u intelmq ...` (PR#2507 by Mikk Margus Möll).
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 062751873..4b1141e94 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 ### Configuration
 
 ### Core
+- `intelmq.lib.utils.drop_privileges`: When IntelMQ is called as `root` and dropping the privileges to user `intelmq`, also set the non-primary groups associated with the `intelmq` user. Makes the behaviour of running intelmqctl as `root` closer to the behaviour of `sudo -u intelmq ...` (PR#2507 by Mikk Margus Möll).
 
 ### Development