Shit shit shit shit shit. This is a major security hole - see my message to debian-changes. For the technically minded, here is what do_command.c used to say: # if defined(BSD) initgroups(env_get("LOGNAME", e->envp), e->gid); # endif I'm closing this bug report. Could someone with access to a few other Linux systems please check them to see if they are vulnerable ? If so we should make a posting to linux-alert. Ian.