syscall: check secondary group membership for Faccessat(..., AT_EACCESS) on Linux

Follow glibc's implementation and check secondary group memberships
using Getgroups.

No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.

Same as CL 238722 did for x/sys/unix

Updates #39660

Change-Id: I6af50e27b255e33405558947a0ab3dfbc33b2d50
Reviewed-on: https://go-review.googlesource.com/c/go/+/238937
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go
index 2eba033d7c65d265a444f02b9f2c0f26948267c5..07fe6a6c2bc564e43f9891579528572a1e2e9068 100644 (file)
--- a/src/syscall/syscall_linux.go
+++ b/src/syscall/syscall_linux.go
@@ -35,6 +35,20 @@ func Creat(path string, mode uint32) (fd int, err error) {
        return Open(path, O_CREAT|O_WRONLY|O_TRUNC, mode)
 }
 
+func isGroupMember(gid int) bool {
+       groups, err := Getgroups()
+       if err != nil {
+               return false
+       }
+
+       for _, g := range groups {
+               if g == gid {
+                       return true
+               }
+       }
+       return false
+}
+
 //sys  faccessat(dirfd int, path string, mode uint32) (err error)
 
 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -92,7 +106,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
                        gid = Getgid()
                }
 
-               if uint32(gid) == st.Gid {
+               if uint32(gid) == st.Gid || isGroupMember(gid) {
                        fmode = (st.Mode >> 3) & 7
                } else {
                        fmode = st.Mode & 7