From 759b608169b88a41d5bd6a23fa06cb8004110a2a Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Mon, 25 May 2026 16:04:50 +0200
Subject: [PATCH 1/2] Reset supplementary groups when changing user.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 cmd/sops/subcommand/exec/exec_unix.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go
index f36d6326af..be7393dabc 100644
--- a/cmd/sops/subcommand/exec/exec_unix.go
+++ b/cmd/sops/subcommand/exec/exec_unix.go
@@ -51,6 +51,11 @@ func SwitchUser(username string) {
 	uid, _ := strconv.Atoi(user.Uid)
 	gid, _ := strconv.Atoi(user.Gid)
 
+	err = syscall.Setgroups([]int{gid})
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	err = syscall.Setgid(gid)
 	if err != nil {
 		log.Fatal(err)

From 82a1b8fd53a79351f5f3882426e9be55e74e1d6c Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 26 May 2026 17:23:05 +0200
Subject: [PATCH 2/2] Address review comments.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 cmd/sops/subcommand/exec/exec_unix.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go
index be7393dabc..c17e4a109c 100644
--- a/cmd/sops/subcommand/exec/exec_unix.go
+++ b/cmd/sops/subcommand/exec/exec_unix.go
@@ -51,7 +51,19 @@ func SwitchUser(username string) {
 	uid, _ := strconv.Atoi(user.Uid)
 	gid, _ := strconv.Atoi(user.Gid)
 
-	err = syscall.Setgroups([]int{gid})
+	groupIds, err := user.GroupIds()
+	var intGroupIds []int
+	if err != nil {
+		log.Fatal(err)
+		intGroupIds = []int{gid}
+	} else {
+		intGroupIds = make([]int, len(groupIds))
+		for i, gid := range groupIds {
+			intGroupIds[i], _ = strconv.Atoi(gid)
+		}
+	}
+
+	err = syscall.Setgroups(intGroupIds)
 	if err != nil {
 		log.Fatal(err)
 	}