unix: check secondary group membership for Faccessat(..., AT_EACCESS) on Linux
Follow glibc's implementation and check secondary group memberships
using Getgroups.
No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.
Fixes golang/go#39660
Change-Id: Idb841242cbd1d8859f4e3c2c26b64a5e9523f9a4
Reviewed-on: https://go-review.googlesource.com/c/sys/+/238722
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
diff --git a/unix/syscall_linux.go b/unix/syscall_linux.go
index 7b7c727..e50e4cb 100644
--- a/unix/syscall_linux.go
+++ b/unix/syscall_linux.go
@@ -1950,6 +1950,20 @@
return int(n), nil
}
+func isGroupMember(gid int) bool {
+ groups, err := Getgroups()
+ if err != nil {
+ return false
+ }
+
+ for _, g := range groups {
+ if g == gid {
+ return true
+ }
+ }
+ return false
+}
+
//sys faccessat(dirfd int, path string, mode uint32) (err error)
func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -2007,7 +2021,7 @@
gid = Getgid()
}
- if uint32(gid) == st.Gid {
+ if uint32(gid) == st.Gid || isGroupMember(gid) {
fmode = (st.Mode >> 3) & 7
} else {
fmode = st.Mode & 7
