x/sys/unix: Faccessat() fails to account for secondary group memberships when flags != 0 #39660
Labels
FrozenDueToAge
help wanted
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
OS-Linux
Milestone
Go's Facessat() implementation fails to account for secondary group memberships when flags != 0 when determining whether a given file access is allowed. This causes it to return an error where file access would actually be allowed. The following example demonstrates the problem, with a file that is only readable because of secondary group membership:
The go implementation (https://golang.org/src/syscall/syscall_linux.go) references the glibc implementation (https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/faccessat.c;hb=HEAD) but where glibc calls __group_member() to check group memberships if file's gid != user's gid, the go implementation just does a last-resort check of world/other permissions.
Naturally, I'd expect
syscall.Faccessat()
to act like Cfaccessat()
... :)The text was updated successfully, but these errors were encountered: