GitLab

check_private_dir() to ensure that ControlSocketsGroupWritable is safe to use. Unfortunately, check_private_dir() only checks against the currently running user… which can be root until privileges are dropped to the user and group configured by the User config option.

The attached patch fixes the issue by adding a new effective_user argument to check_private_dir() and updating the callers. It might not be the best way to fix the issue, but it did in my tests.