diff --git a/tcp_wrappers-7.6-initgroups.patch b/tcp_wrappers-7.6-initgroups.patch
new file mode 100644
index 0000000..5bc5beb
--- /dev/null
+++ b/tcp_wrappers-7.6-initgroups.patch
@@ -0,0 +1,62 @@
+diff -up tcp_wrappers_7.6/options.c.initgroups tcp_wrappers_7.6/options.c
+--- tcp_wrappers_7.6/options.c.initgroups	2011-08-11 23:10:43.610418714 +0200
++++ tcp_wrappers_7.6/options.c	2011-08-12 05:51:17.748481294 +0200
+@@ -256,8 +256,12 @@ struct request_info *request;
+ 	tcpd_jump("unknown group: \"%s\"", value);
+     endgrent();
+ 
+-    if (dry_run == 0 && setgid(grp->gr_gid))
+-	tcpd_jump("setgid(%s): %m", value);
++    if (dry_run != 0) {
++        if (setgid(grp->gr_gid))
++	   tcpd_jump("setgid(%s): %m", value);
++        if (setgroups(0, NULL))
++	   tcpd_jump("setgroups(%s): %m", value);
++    }
+ }
+ 
+ /* user_option - switch user id */
+@@ -271,15 +275,26 @@ struct request_info *request;
+     struct passwd *pwd;
+     struct passwd *getpwnam();
+     char   *group;
++    int    defaultgroup = 0;
+ 
+     if ((group = split_at(value, '.')) != 0)
+ 	group_option(group, request);
++    else
++	defaultgroup = 1;
+     if ((pwd = getpwnam(value)) == 0)
+ 	tcpd_jump("unknown user: \"%s\"", value);
+     endpwent();
+ 
+-    if (dry_run == 0 && setuid(pwd->pw_uid))
+-	tcpd_jump("setuid(%s): %m", value);
++    if (dry_run != 0) {
++        if (setuid(pwd->pw_uid))
++	    tcpd_jump("setuid(%s): %m", value);
++	if (defaultgroup) {
++            if (setgid(pwd->pw_gid))
++	       tcpd_jump("setgid(%s): %m", value);
++            if (initgroups(value, pwd->pw_gid))
++	       tcpd_jump("initgroups(%s): %m", value);
++	}
++    }
+ }
+ 
+ /* umask_option - set file creation mask */
+diff -up tcp_wrappers_7.6/safe_finger.c.initgroups tcp_wrappers_7.6/safe_finger.c
+--- tcp_wrappers_7.6/safe_finger.c.initgroups	2011-08-12 05:54:06.068606291 +0200
++++ tcp_wrappers_7.6/safe_finger.c	2011-08-12 05:55:34.835483785 +0200
+@@ -66,9 +66,11 @@ char  **argv;
+     if (getuid() == 0 || geteuid() == 0) {
+ 	if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
+ 	    setgid(pwd->pw_gid);
++	    initgroups(UNPRIV_NAME, pwd->pw_gid);
+ 	    setuid(pwd->pw_uid);
+ 	} else {
+ 	    setgid(UNPRIV_UGID);
++	    setgroups(0, NULL);
+ 	    setuid(UNPRIV_UGID);
+ 	}
+     }
diff --git a/tcp_wrappers.spec b/tcp_wrappers.spec
index 6470f8f..8b2d0f1 100644
--- a/tcp_wrappers.spec
+++ b/tcp_wrappers.spec
@@ -1,7 +1,7 @@
 Summary: A security tool which acts as a wrapper for TCP daemons
 Name: tcp_wrappers
 Version: 7.6
-Release: 66%{?dist}
+Release: 67%{?dist}
 
 %define LIB_MAJOR 0
 %define LIB_MINOR 7
@@ -38,6 +38,7 @@ Patch23: tcp_wrappers-7.6-inetdconf.patch
 Patch24: tcp_wrappers-7.6-bug698464.patch
 Patch25: tcp_wrappers-7.6-relro.patch
 Patch26: tcp_wrappers-7.6-xgets.patch
+Patch27: tcp_wrappers-7.6-initgroups.patch
 # required by sin_scope_id in ipv6 patch
 BuildRequires: glibc-devel >= 2.2
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -98,6 +99,7 @@ develop applications with tcp_wrappers support.
 %patch24 -p1 -b .698464
 %patch25 -p1 -b .relro
 %patch26 -p1 -b .xgets
+%patch27 -p1 -b .initgroups
 
 %build
 make RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -DPIC -D_REENTRANT -DHAVE_STRERROR" LDFLAGS="-pie" MAJOR=%{LIB_MAJOR} MINOR=%{LIB_MINOR} REL=%{LIB_REL} linux
@@ -155,6 +157,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_mandir}/man3/*
 
 %changelog
+* Mon Aug 15 2011 Jan F. Chadima <jchadima@redhat.com> - 7.6-67
+- clean (set up correctly) additional groups
+
 * Mon Aug 15 2011 Jan F. Chadima <jchadima@redhat.com> - 7.6-66
 - repair possible DOS in xgets