New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syscall: supplementary groups are not cleared #15865
Comments
Yup, it's confusing. I don't know what we should do by default though. Should we always clear them or only if requested? For example if |
After more digging: This exact matter was discussed in https://codereview.appspot.com/4280065 -- the call to |
Hmmm, it looks like exec_linux.go and exec_bsd.go behave differently. exec_bsd.go always calls setgroups if Credential is not nil, but exec_linux.go only calls setgroups if Credential.Groups has at least one element. That does not seem right. |
I see, it changed for exec_linux.go only in https://golang.org/cl/13938 because passing 0 groups to the setgroups system call doesn't change anything. Should we close this issue or is there something to do? |
@ianlancetaylor looks like it changes something after all. Maybe we should just revert that patch. |
Would it work to simply revert 13938? Don't we need to fiddle with |
https://go-review.googlesource.com/#/c/10670/ is the uid/gid mapping change if that helps... |
@ianlancetaylor let me try, also I think test is needed also |
@ianlancetaylor I think it's better to revert it and think about solution for mappings later :/ |
The change was already in Go 1.6. We have apparently broken programs that worked in Go 1.4, and we want to fix those. But we don't want to thereby break programs that are working today in Go 1.6. |
@ianlancetaylor yeah, I think it's possible |
@ianlancetaylor @aronatkins I've posted https://go-review.googlesource.com/#/c/23524/ |
Fixed by https://golang.org/cl/23524. |
With Go 1.6, a call to
setgroups
happens under fewer conditions, meaning supplementary groups may not be cleared.go version
)?go version go1.6.2 linux/amd64
go env
)?Further system/kernel information:
Running with Go 1.4.3 (as root):
Running with Go 1.6.2 (as root):
With Go 1.4,
exec.Cmd
ends up callingsetgroups
even with an emptysyscall.Credential.Groups
.Workaround: Specify a non-empty
syscall.Credential.Groups
where the single element matches the specifiedsyscall.Credential.Gid
.This behavior was altered with the change:
https://go-review.googlesource.com/#/c/13938/
@LK4D4
The text was updated successfully, but these errors were encountered: