From 8261c887aaf997655b95591c17b1068bb627dc9d Mon Sep 17 00:00:00 2001
From: Alexander Morozov <lk4d4math@gmail.com>
Date: Wed, 26 Aug 2015 20:45:28 -0700
Subject: [PATCH] syscall: don't call Setgroups if Credential.Groups is empty

Setgroups with zero-length groups is no-op for changing groups and
supposed to be used only for determining curent groups length. Also
because we deny setgroups by default if use GidMappings we have
unnecessary error from that no-op syscall.

Change-Id: I8f74fbca9190a3dcbbef1d886c518e01fa05eb62
Reviewed-on: https://go-review.googlesource.com/13938
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/syscall/exec_linux.go      | 11 +++++------
 src/syscall/exec_linux_test.go |  8 ++++++++
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
index 9bac042124..8fe5491f90 100644
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@@ -191,13 +191,12 @@ func forkAndExecInChild(argv0 *byte, argv, envv []*byte, chroot, dir *byte, attr
 	// User and groups
 	if cred := sys.Credential; cred != nil {
 		ngroups := uintptr(len(cred.Groups))
-		var groups unsafe.Pointer
 		if ngroups > 0 {
-			groups = unsafe.Pointer(&cred.Groups[0])
-		}
-		_, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, uintptr(groups), 0)
-		if err1 != 0 {
-			goto childerror
+			groups := unsafe.Pointer(&cred.Groups[0])
+			_, _, err1 = RawSyscall(SYS_SETGROUPS, ngroups, uintptr(groups), 0)
+			if err1 != 0 {
+				goto childerror
+			}
 		}
 		_, _, err1 = RawSyscall(SYS_SETGID, uintptr(cred.Gid), 0, 0)
 		if err1 != 0 {
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 60d2734f66..8c8773629d 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -109,3 +109,11 @@ func TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups(t *testing.T) {
 		t.Fatalf("Unprivileged gid_map rewriting with GidMappingsEnableSetgroups must fail")
 	}
 }
+
+func TestEmptyCredGroupsDisableSetgroups(t *testing.T) {
+	cmd := whoamiCmd(t, os.Getuid(), os.Getgid(), false)
+	cmd.SysProcAttr.Credential = &syscall.Credential{}
+	if err := cmd.Run(); err != nil {
+		t.Fatal(err)
+	}
+}
-- 
2.48.1