unix: check secondary group membership for Faccessat(..., AT_EACCESS) on Linux

Follow glibc's implementation and check secondary group memberships
using Getgroups.

No test since we cannot easily change file permissions when not running
as root and the test is meaningless if running as root.

Fixes golang/go#39660

Change-Id: Idb841242cbd1d8859f4e3c2c26b64a5e9523f9a4
Reviewed-on: https://go-review.googlesource.com/c/sys/+/238722
Run-TryBot: Tobias Klauser <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>

Author: tklauser

unix/syscall_linux.go

@@ -1950,6 +1950,20 @@ func Vmsplice(fd int, iovs []Iovec, flags int) (int, error) {
 	return int(n), nil
 }
 
+func isGroupMember(gid int) bool {
+	groups, err := Getgroups()
+	if err != nil {
+		return false
+	}
+
+	for _, g := range groups {
+		if g == gid {
+			return true
+		}
+	}
+	return false
+}
+
 //sys	faccessat(dirfd int, path string, mode uint32) (err error)
 
 func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
@@ -2007,7 +2021,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
 			gid = Getgid()
 		}
 
-		if uint32(gid) == st.Gid {
+		if uint32(gid) == st.Gid || isGroupMember(gid) {
 			fmode = (st.Mode >> 3) & 7
 		} else {
 			fmode = st.Mode & 7