syscall: check secondary group membership for Faccessat(..., AT_EACCESS) on Linux

Follow glibc's implementation and check secondary group memberships
using Getgroups.

No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.

Same as CL 238722 did for x/sys/unix

Updates #39660

Change-Id: I6af50e27b255e33405558947a0ab3dfbc33b2d50
Reviewed-on: https://go-review.googlesource.com/c/go/+/238937
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

1 files changed, 15 insertions, 1 deletions

diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go
index 2eba033d7c..07fe6a6c2b 100644
--- a/src/syscall/syscall_linux.go
+++ b/src/syscall/syscall_linux.go
@@ -35,6 +35,20 @@ func Creat(path string, mode uint32) (fd int, err error) {
 	return Open(path, O_CREAT|O_WRONLY|O_TRUNC, mode)
 }
 
+func isGroupMember(gid int) bool {
+	groups, err := Getgroups()
+	if err != nil {
+		return false
+	}
+
+	for _, g := range groups {
+		if g == gid {
+			return true
+		}
+	}
+	return false
+}
+
 //sys	faccessat(dirfd int, path string, mode uint32) (err error)
 
 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -92,7 +106,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
 			gid = Getgid()
 		}
 
-		if uint32(gid) == st.Gid {
+		if uint32(gid) == st.Gid || isGroupMember(gid) {
 			fmode = (st.Mode >> 3) & 7
 		} else {
 			fmode = st.Mode & 7