Hi Ondrej, > Tar does not attempt to initialize supplementary groups when dropping > privileges.
Indeed, it does not. However doing it the way you propose is of little practical value, because the caller might as well set the USER variable to any other user in order to obtain that user's privileges. You can easily test that. > Also according to this > https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges > git should be reseted before uid. While technically true, swapping them does litle harm, because setgid (getgid ()) works well for ordinary (non-root) user. Regards, Sergey
