ControlSocketsGroupWritable option is not compatible with User
check_private_dir() to ensure that
ControlSocketsGroupWritable is safe to use. Unfortunately,
check_private_dir() only checks against the currently running user… which can be root until privileges are dropped to the user and group configured by the
User config option.
The attached patch fixes the issue by adding a new
effective_user argument to
check_private_dir() and updating the callers. It might not be the best way to fix the issue, but it did in my tests.