From 5e34bd61c8bb3a46e5c23d24aaea021ac3f7372a Mon Sep 17 00:00:00 2001 From: Adam Eijdenberg Date: Sun, 26 Jun 2022 03:41:15 +0000 Subject: [PATCH] ssh/tailssh: limit setgroups to 16 on macOS Fixes #4938 Signed-off-by: Adam Eijdenberg (cherry picked from commit 9294a14a376e44d68087af40c97918431073276a) --- ssh/tailssh/incubator.go | 3 ++- ssh/tailssh/incubator_darwin.go | 12 ++++++++++++ ssh/tailssh/incubator_linux.go | 4 ++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go index 873559e76..5f5423fe9 100644 --- a/ssh/tailssh/incubator.go +++ b/ssh/tailssh/incubator.go @@ -225,7 +225,8 @@ func beIncubator(args []string) error { } groupIDs = append(groupIDs, int(gid)) } - if err := syscall.Setgroups(groupIDs); err != nil { + + if err := setGroups(groupIDs); err != nil { return err } if egid := os.Getegid(); egid != ia.gid { diff --git a/ssh/tailssh/incubator_darwin.go b/ssh/tailssh/incubator_darwin.go index d143883e6..960a8b08b 100644 --- a/ssh/tailssh/incubator_darwin.go +++ b/ssh/tailssh/incubator_darwin.go @@ -4,6 +4,18 @@ package tailssh +import "syscall" + func (ia *incubatorArgs) loginArgs() []string { return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser} } + +func setGroups(groupIDs []int) error { + // darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups + // some info can be found here: + // https://opensource.apple.com/source/samba/samba-187.8/patches/support-darwin-initgroups-syscall.auto.html + // this fix isn't great, as anyone reading this has probably just wasted hours figuring out why + // some permissions thing isn't working, due to some arbitrary group ordering, but it at least allows + // this to work for more things than it previously did. + return syscall.Setgroups(groupIDs[:16]) +} diff --git a/ssh/tailssh/incubator_linux.go b/ssh/tailssh/incubator_linux.go index 67ed2ca19..38a644fbd 100644 --- a/ssh/tailssh/incubator_linux.go +++ b/ssh/tailssh/incubator_linux.go @@ -177,3 +177,7 @@ func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() err func (ia *incubatorArgs) loginArgs() []string { return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"} } + +func setGroups(groupIDs []int) error { + return syscall.Setgroups(groupIDs) +}