unix: check secondary group membership for Faccessat(..., AT_EACCESS) on Linux

Follow glibc's implementation and check secondary group memberships using Getgroups. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. Fixes golang/go#39660 Change-Id: Idb841242cbd1d8859f4e3c2c26b64a5e9523f9a4 Reviewed-on: https://go-review.googlesource.com/c/sys/+/238722 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2026-02-08 03:36:03 +03:00 · 2020-06-19 10:33:10 +02:00
parent f1bc736245
commit 981b61492c
1 changed files with 15 additions and 1 deletions
--- a/unix/syscall_linux.go
+++ b/unix/syscall_linux.go
@@ -1950,6 +1950,20 @@ func Vmsplice(fd int, iovs []Iovec, flags int) (int, error) {
 	return int(n), nil
 }

+func isGroupMember(gid int) bool {
+	groups, err := Getgroups()
+	if err != nil {
+		return false
+	}
+
+	for _, g := range groups {
+		if g == gid {
+			return true
+		}
+	}
+	return false
+}
+
 //sys	faccessat(dirfd int, path string, mode uint32) (err error)

 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -2007,7 +2021,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
 			gid = Getgid()
 		}

-		if uint32(gid) == st.Gid {
+		if uint32(gid) == st.Gid || isGroupMember(gid) {
 			fmode = (st.Mode >> 3) & 7
 		} else {
 			fmode = st.Mode & 7