From 981b61492c3565ea113dc1621ca30ef897df5586 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Fri, 19 Jun 2020 10:33:10 +0200
Subject: [PATCH] unix: check secondary group membership for Faccessat(...,
 AT_EACCESS) on Linux

Follow glibc's implementation and check secondary group memberships
using Getgroups.

No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.

Fixes golang/go#39660

Change-Id: Idb841242cbd1d8859f4e3c2c26b64a5e9523f9a4
Reviewed-on: https://go-review.googlesource.com/c/sys/+/238722
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 unix/syscall_linux.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/unix/syscall_linux.go b/unix/syscall_linux.go
index 7b7c7275..e50e4cb2 100644
--- a/unix/syscall_linux.go
+++ b/unix/syscall_linux.go
@@ -1950,6 +1950,20 @@ func Vmsplice(fd int, iovs []Iovec, flags int) (int, error) {
 	return int(n), nil
 }
 
+func isGroupMember(gid int) bool {
+	groups, err := Getgroups()
+	if err != nil {
+		return false
+	}
+
+	for _, g := range groups {
+		if g == gid {
+			return true
+		}
+	}
+	return false
+}
+
 //sys	faccessat(dirfd int, path string, mode uint32) (err error)
 
 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -2007,7 +2021,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
 			gid = Getgid()
 		}
 
-		if uint32(gid) == st.Gid {
+		if uint32(gid) == st.Gid || isGroupMember(gid) {
 			fmode = (st.Mode >> 3) & 7
 		} else {
 			fmode = st.Mode & 7