syscall: don't call Setgroups if Credential.Groups is empty

Setgroups with zero-length groups is no-op for changing groups and
supposed to be used only for determining curent groups length. Also
because we deny setgroups by default if use GidMappings we have
unnecessary error from that no-op syscall.

Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62
Reviewed-on: https://go-review.googlesource.com/13938
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
index 9bac04212488763d3ac3be0d339c0c1cb90e91ac..8fe5491f9062b302898edb89bbd2a9f423e7bbd2 100644 (file)
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@@ -191,13 +191,12 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
        // User and groups
        if cred := sys.Credential; cred != nil {
                ngroups := uintptr(len(cred.Groups))
-               var groups unsafe.Pointer
                if ngroups > 0 {
-                       groups = unsafe.Pointer(&cred.Groups[0])
-               }
-               _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, uintptr(groups), 0)
-               if err1 != 0 {
-                       goto childerror
+                       groups := unsafe.Pointer(&cred.Groups[0])
+                       _, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, uintptr(groups), 0)
+                       if err1 != 0 {
+                               goto childerror
+                       }
                }
                _, _, err1 = RawSyscall(SYS_SETGID, uintptr(cred.Gid), 0, 0)
                if err1 != 0 {

diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 60d2734f66a8b0485bd8e77c4cabec10e546826f..8c8773629d1ca9b002ac23db31e71ec25f4a93be 100644 (file)
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -109,3 +109,11 @@ func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
                t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
        }
 }
+
+func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
+       cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false)
+       cmd.SysProcAttr.Credential = &syscall.Credential{}
+       if err := cmd.Run(); err != nil {
+               t.Fatal(err)
+       }
+}