Migrated from D23692, original review message from Malte Kraus
So I noticed that kdesu is setgid 'nogroup'. That group is the fallback
for groups from a remote NFS share that do not exist on the local machine.
Since kdesu does not deal with NFS, I wanted to get rid of this (ab)use
of 'nogroup'.
From all that I could gather (inline comments and a discussion on the
KDE su handbook), the goal of the setgid bit on the binary is not to
access any file as 'nogroup', but to prevent other processes of the
calling user from accessing cached passwords, e.g. through ptrace(),
core dumps or /proc/<pid>/memory. While setgid is one way to achieve
that, both Linux and FreeBSD allow setting a kernel flag to directly
to disable such access. So I went for that.